[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Ken Jin
report at bugs.python.org
Sat Jan 23 05:13:39 EST 2021
Ken Jin <kenjin4096 at gmail.com> added the comment:
@Adam:
>I haven't noticed, I'm sorry. I don't mind closing mine, just thought it could be a nice first contribution.
No worries :), please don't close yours.
> Our PRs are different though - I feel like if we are to implement this, we should let the developer choose the separator and not limit to just `&` and `;` - but that discussion probably belongs in the PR.
You're right, I think that's an elegant solution. In the unlikely event web standards change again in another 5 years, the user can change the arguments themselves and cpython won't have to change. And like Eric pointed out, some people do need ';'.
@senthil
I might make some changes soon, so it may not be ready for review yet. If I go ahead with the separator idea, I'll credit Adam as a co-author in the PR, which will require them to sign the CLA too.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list