Skip to content

[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) #24529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 15, 2021
Merged

[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) #24529

merged 4 commits into from
Feb 15, 2021

Conversation

orsenthil
Copy link
Member

@orsenthil orsenthil commented Feb 15, 2021
edited by bedevere-bot
Loading

[3.8] bpo-42967: only use '&' as a query string separator (GH-24297)

Backport of fcbe0cb to 3.8

https://bugs.python.org/issue42967

https://bugs.python.org/issue42967
AdamGold and others added 2 commits February 14, 2021 17:59
@AdamGold @orsenthil
bpo-42967: only use '&' as a query string separator (#24297)
1f2172f 
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
(cherry picked from commit fcbe0cb)
@orsenthil @AdamGold
[3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
a9bb587 
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>.
(cherry picked from commit fcbe0cb)

Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
@bedevere-bot bedevere-bot mentioned this pull request Feb 15, 2021
Merged
orsenthil
orsenthil commented Feb 15, 2021
View reviewed changes
Doc/library/cgi.rst Outdated
@@ -303,6 +303,9 @@ algorithms implemented in this module in other circumstances.
Added the *encoding* and *errors* parameters. For non-file fields, the
value is now a list of strings, not bytes.

.. versionchanged:: 3.10
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be 3.8.8
@orsenthil orsenthil mentioned this pull request Feb 15, 2021
Merged
@ambv ambv merged commit e3110c3 into python:3.8 Feb 15, 2021
@bedevere-bot
Copy link

@ambv: Please replace # with GH- in the commit message next time. Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
6 participants
@orsenthil @bedevere-bot @ambv @the-knights-who-say-ni @AdamGold @Fidget-Spinner