[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Matej Cepl
report at bugs.python.org
Fri Feb 26 03:20:03 EST 2021
Matej Cepl <mcepl at cepl.eu> added the comment:
> FYI - This was somewhat of an unfortuate API change. I'm coming across code that relies on ; also being treated as a separator by parse_qs(). That code is now broken with no easy way around it.
So far, we at openSUSE had to package at least SQLAlchemy, Twisted, yarl and furl. The author of the first one acknowledged use of semicolon as a bug. I don't think it was so bad.
----------
nosy: +mcepl
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list