[issue42967] [security] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Ken Jin
report at bugs.python.org
Wed Jan 20 11:06:30 EST 2021
Ken Jin <kenjin4096 at gmail.com> added the comment:
FWIW, a surprising amount of things rely on treating ';' as a valid separator in the standard test suite.
>From just a cursory look:
test_cgi
test_urlparse
A change in the public API of urlparse will also require a change in cgi.py's FieldStorage, FieldStorage.read_multi, parse and parse_multipart to expose that parameter since those functions forward arguments directly to urllib.parse.parse_qs internally.
If we backport this, it seems that we will *also* need to backport all those changes to cgi's public API. Otherwise, just backporting the security fix part without allowing the user to switch would break existing code.
Just my 2 cents on the issue. I'm not too familiar with security fixes in cpython anyways ;).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list