[Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
"Martin v. Löwis"
martin at v.loewis.de
Fri Aug 17 21:50:44 CEST 2012
On 17.08.2012 21:27, Guido van Rossum wrote:
> query = sorted(query.items())
>
> This would not prevent breakage of unit tests, but it would make a
> much simpler fix possible: simply sort the parameters in the URL.
>
> Thoughts?
Sounds good. For best backwards compatibility, I'd restrict the sorting
to the exact dict type, since people may be using non-dict mappings
which already have a different stable order.
> for all versions of Python that support PYTHONHASHSEED?
I think this cannot be done, in particular not for 2.6 and 3.1 - it's
not a security fix (*).
Strictly speaking, it isn't even a bug fix, since it doesn't restore
the original behavior that some people (like your test case) relied
on. In particular, if somebody has fixed PYTHONHASHSEED to get a stable
order, this change would break such installations. By that policy, it
could only go into 3.4.
OTOH, if it also checked whether there is randomized hashing, and sort
only in that case, I think it should be backwards compatible in all
interesting cases.
Regards,
Martin
(*) I guess some may claim that the current implementation leaks
some bits of the hash seed, since you can learn the seed from
the parameter order, so sorting would make it more secure. However,
I would disagree that this constitutes a feasible threat.
More information about the Python-Dev
mailing list