[Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)? (original) (raw)
"Martin v. Löwis" martin at v.loewis.de
Fri Aug 17 21:50:44 CEST 2012
- Previous message: [Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
- Next message: [Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 17.08.2012 21:27, Guido van Rossum wrote:
query = sorted(query.items())
This would not prevent breakage of unit tests, but it would make a much simpler fix possible: simply sort the parameters in the URL. Thoughts?
Sounds good. For best backwards compatibility, I'd restrict the sorting to the exact dict type, since people may be using non-dict mappings which already have a different stable order.
for all versions of Python that support PYTHONHASHSEED?
I think this cannot be done, in particular not for 2.6 and 3.1 - it's not a security fix (*).
Strictly speaking, it isn't even a bug fix, since it doesn't restore the original behavior that some people (like your test case) relied on. In particular, if somebody has fixed PYTHONHASHSEED to get a stable order, this change would break such installations. By that policy, it could only go into 3.4.
OTOH, if it also checked whether there is randomized hashing, and sort only in that case, I think it should be backwards compatible in all interesting cases.
Regards, Martin
(*) I guess some may claim that the current implementation leaks some bits of the hash seed, since you can learn the seed from the parameter order, so sorting would make it more secure. However, I would disagree that this constitutes a feasible threat.
- Previous message: [Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
- Next message: [Python-Dev] Should urlencode() sort the query parameters (if they come from a dict)?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]