[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[Senthil Kumaran]

Senthil Kumaran <senthil at uthcode.com> added the comment:

I finished reviewing this PR https://github.com/python/cpython/pull/24297

With the contexts given in W3C recommendation, Synk.io Security Report and pattern of usage in libraries like werkzeug and bottle, instead of ignoring this and letting this behavior be handled at proxy software level, addressing this in stdlib as safe-guard seems like a much better choice to me.

The change and the approach taken by Adam's patch looks good to me. I have requested for documentation updates and news entry and it will be merged for Python 3.10 and ported to earlier versions.

- Fixing this in 3.10 is going to break behavior of software which relied on both "&" and ";" as query parameter separator.  Only a single separator will be allowed, and it will default to &. This will be mentioned in documentation.

- As we back-port this to security releases of python, a rationale can be added on this change. The documentation or news entry could help developers with their plans to upgrade.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________