git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Senthil Kumaran <skumaran@gatech.edu>
	Mon, 15 Feb 2021 18:03:31 +0000 (10:03 -0800)
committer	GitHub <noreply@github.com>
	Mon, 15 Feb 2021 18:03:31 +0000 (10:03 -0800)
commit	c9f07813ab8e664d8c34413c4fc2d4f86c061a92
tree	afacb993137021a44a30a87d55d8507c93963c22	tree
parent	242f6c9ffe3dd8f613942d5364b816cc89c384be	commit \| diff

[3.9] bpo-42967: only use '&' as a query string separator (GH-24297) (#24528)

(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)

* [3.9] bpo-42967: only use '&' as a query string separator (GH-24297)

bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>

Doc/library/cgi.rst		diff \| blob \| blame \| history
Doc/library/urllib.parse.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.6.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.7.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.8.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.9.rst		diff \| blob \| blame \| history
Lib/cgi.py		diff \| blob \| blame \| history
Lib/test/test_cgi.py		diff \| blob \| blame \| history
Lib/test/test_urlparse.py		diff \| blob \| blame \| history
Lib/urllib/parse.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst	[new file with mode: 0644]	blob