[Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?

Stephen J. Turnbull stephen at xemacs.org
Sun Aug 19 13:55:31 CEST 2012


Antoine Pitrou writes:

 > That's unsubstantiated.

Sure.  If I had a CVE, I would have posted it.

 > Give an example of how sorted URLs compromise security.

That's not how you think about security; the right question about
sorted URLs is "how do you know that they *don't* compromise
security?"  We know that mishandling URLs *can* compromise security
(eg, via bugs in directory traversal).

But you know that.  What you presumably mean here is "why do you think
randomly changing query parameter order in URLs is more secure than
sorted order?"  The answer to that is that since the server can't
depend on order, it *must* handle more configurations of parameters by
design (and presumably in implementation and testing), and therefore
will be robust against more kinds of parameter configurations.  Eg,
there will be no temptation to optimize processing by handling
parameters in sorted order.

Is this a "real" danger?  Maybe not.  But every unnecessary regularity
in inputs that a program's implementation depends on is a potential
attack vector via irregular inputs.

Remember, I was responding to a claim that sorted order is *always*
better.  That's a dangerous kind of claim to make about anything that
could be input to an Internet server.

Steve


More information about the Python-Dev mailing list