[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Petr Viktorin
report at bugs.python.org
Wed Mar 10 08:51:48 EST 2021
Petr Viktorin <encukou at gmail.com> added the comment:
With the fix, parse_qs[l] doesn't handle bytes separators correctly.
There is an explicit type check for str/bytes:
if not separator or (not isinstance(separator, (str, bytes))):
raise ValueError("Separator must be of type string or bytes.")
but a bytes separator fails further down:
>>> import urllib.parse
>>> urllib.parse.parse_qs('a=1,b=2', separator=b',')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/pviktori/dev/cpython/Lib/urllib/parse.py", line 695, in parse_qs
pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
File "/home/pviktori/dev/cpython/Lib/urllib/parse.py", line 748, in parse_qsl
pairs = [s1 for s1 in qs.split(separator)]
TypeError: must be str or None, not bytes
----------
nosy: +petr.viktorin
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list