git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Senthil Kumaran <senthil@uthcode.com>
	Mon, 15 Feb 2021 18:34:14 +0000 (10:34 -0800)
committer	GitHub <noreply@github.com>
	Mon, 15 Feb 2021 18:34:14 +0000 (13:34 -0500)
commit	d0d4d30882fe3ab9b1badbecf5d15d94326fd13e
tree	5f9cf7c531d89da3dab9d3315bde1142a5cde9bc	tree \| snapshot
parent	d9b8f138b7df3b455b54653ca59f491b4840d6fa	commit \| diff

[3.7] bpo-42967: only use '&' as a query string separator (GH-24297) (GH-24531)

bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().

urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.

Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)

Doc/library/cgi.rst		diff \| blob \| blame \| history
Doc/library/urllib.parse.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.6.rst		diff \| blob \| blame \| history
Doc/whatsnew/3.7.rst		diff \| blob \| blame \| history
Lib/cgi.py		diff \| blob \| blame \| history
Lib/test/test_cgi.py		diff \| blob \| blame \| history
Lib/test/test_urlparse.py		diff \| blob \| blame \| history
Lib/urllib/parse.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst	[new file with mode: 0644]	blob