[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Adam Goldschmidt
report at bugs.python.org
Sat Jan 23 17:22:17 EST 2021
Adam Goldschmidt <adamgold7 at gmail.com> added the comment:
> I _didn't_ change the default - it will allow both '&' and ';' still. Eric showed a link above that still uses semicolon. So I feel that it's strange to break backwards compatibility in a patch update. Maybe we can make just '&' the default in Python 3.10, while backporting the ability to specify separators to older versions so it's up to users?
I like this implementation. I definitely think we should not break backwards compatibility and only change the default in Python 3.10.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list