[Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
Guido van Rossum
guido at python.org
Fri Aug 17 22:45:20 CEST 2012
Thanks, I filed http://bugs.python.org/issue15719 to track this.
On Fri, Aug 17, 2012 at 12:50 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> On 17.08.2012 21:27, Guido van Rossum wrote:
>> query = sorted(query.items())
>>
>> This would not prevent breakage of unit tests, but it would make a
>> much simpler fix possible: simply sort the parameters in the URL.
>>
>> Thoughts?
>
> Sounds good. For best backwards compatibility, I'd restrict the sorting
> to the exact dict type, since people may be using non-dict mappings
> which already have a different stable order.
>
>> for all versions of Python that support PYTHONHASHSEED?
>
> I think this cannot be done, in particular not for 2.6 and 3.1 - it's
> not a security fix (*).
>
> Strictly speaking, it isn't even a bug fix, since it doesn't restore
> the original behavior that some people (like your test case) relied
> on. In particular, if somebody has fixed PYTHONHASHSEED to get a stable
> order, this change would break such installations. By that policy, it
> could only go into 3.4.
>
> OTOH, if it also checked whether there is randomized hashing, and sort
> only in that case, I think it should be backwards compatible in all
> interesting cases.
>
> Regards,
> Martin
>
> (*) I guess some may claim that the current implementation leaks
> some bits of the hash seed, since you can learn the seed from
> the parameter order, so sorting would make it more secure. However,
> I would disagree that this constitutes a feasible threat.
--
--Guido van Rossum (python.org/~guido)
More information about the Python-Dev
mailing list