Skip to content

[3.7] bpo-42967: only use '&' as a query string separator (GH-24297) #24531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 15, 2021
Merged

[3.7] bpo-42967: only use '&' as a query string separator (GH-24297) #24531

merged 4 commits into from
Feb 15, 2021

Conversation

orsenthil
Copy link
Member

@orsenthil orsenthil commented Feb 15, 2021
edited by bedevere-bot
Loading

[3.7] bpo-42967: only use '&' as a query string separator (GH-24297)

Backport of fcbe0cb to 3.7

https://bugs.python.org/issue42967

https://bugs.python.org/issue42967
AdamGold and others added 2 commits February 14, 2021 18:32
@AdamGold @orsenthil
bpo-42967: only use '&' as a query string separator (#24297)
158aa63 
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
(cherry picked from commit fcbe0cb)
@orsenthil @AdamGold
[3.7] bpo-42967: only use '&' as a query string separator (GH-24297)
ad049c1 
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>.
(cherry picked from commit fcbe0cb)

Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
@bedevere-bot bedevere-bot mentioned this pull request Feb 15, 2021
Merged
orsenthil
orsenthil commented Feb 15, 2021
View reviewed changes
Doc/library/urllib.parse.rst Outdated
@@ -200,8 +202,12 @@ or on combining URL components into a URL string.
.. versionchanged:: 3.7.2
Added *max_num_fields* parameter.

.. versionchanged:: 3.10
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be 3.7.10
@AdamGold
Copy link
Contributor

@orsenthil Should I be the one to change the versions in all PRs? Asking cause I'm not familiar with the process.
@orsenthil
Copy link
Member Author

@AdamGold - Nope. My comments were for me as placeholders, I made it so that I can I get back to these.

Having said that, once ready, I will ping you to review these backports to see if everything is alright and we could merge them.
@orsenthil orsenthil mentioned this pull request Feb 15, 2021
Merged
@orsenthil orsenthil requested a review from ned-deily February 15, 2021 18:20
@orsenthil
Copy link
Member Author

Hi Ned, the patch against 3.7 is complete. You could merge this when you get a chance and cut the release. Thank you.
@ned-deily ned-deily merged commit d0d4d30 into python:3.7 Feb 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
6 participants
@orsenthil @AdamGold @ned-deily @the-knights-who-say-ni @bedevere-bot @Fidget-Spinner