Conversation
for more information, see https://pre-commit.ci
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #1057 +/- ##
==========================================
+ Coverage 62.36% 62.37% +0.01%
==========================================
Files 38 38
Lines 6616 6626 +10
Branches 356 356
==========================================
+ Hits 4126 4133 +7
- Misses 2463 2466 +3
Partials 27 27
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
bdraco
left a comment
bdraco
left a comment
There was a problem hiding this comment.
After looking at history and considering security perspective with this, I think this is the right fix
bdraco
added
the
bot:chronographer:skip
|
skip label added as a workaround |
|
I'm going to test this on some Home Assistant production instances with ingress just to be sure. |
|
Just realized I had already updated my primary production with this since it was in my integration branch. No obvious breakage |
| @@ -0,0 +1,2 @@ | |||
| Stopped decoding ``%2F`` (``/``) in ``URL.path``, as this could lead to code incorrectly being treated as a path separator | |||
There was a problem hiding this comment.
| Stopped decoding ``%2F`` (``/``) in ``URL.path``, as this could lead to code incorrectly being treated as a path separator | |
| Stopped decoding ``%2F`` (``/``) in ``URL.path``, as this could lead to code incorrectly treating it as a path separator |
There was a problem hiding this comment.
I'll fix it up when I do the release
|
Damn, beat me by a couple of seconds.. :P |
|
Hi @Dreamsorcerer @bdraco @webknjaz, thanks for your hard work ❤️ The I believe those changes are great but could be as an optional flag. It also could reflected better in the changelog. url = yarl.URL("amqp://localhost/%2f")
print(url.path)
# Yarl v1.9.4 -> `//`
# Yarl v1.9.5 -> `/%2F` |
|
@ofekashery would you mind opening a new issue and maybe also submitting a PR with xfailing tests per https://blog.ganssle.io/articles/2021/11/pytest-xfail.html? Comments on closed things may end up getting lost. I'm not sure if @Dreamsorcerer and @bdraco got your message in time, for example. |
|
Yeah, should probably have been a bigger version bump, but not too much we can do now. As it relates to security, I think it's still important to keep the change going forwards. |
|
Yeah, security changes are always exempt from SemVer. |
|
Sorry about that, we've decided to revert this anyway as it's caused a few more issues. If you need to know the path separators for safety, we're adding a path_safe attribute instead which skips decoding %2F and %25. |
4 participants
I've added ignore so that
/foo/bar%2fbazdoesn't become%2Ffoo%2Fbar%2Fbaz, but maybe theunsafeoption is just wrong currently?