[issue42967] [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
Senthil Kumaran
report at bugs.python.org
Fri Mar 12 19:52:40 EST 2021
Senthil Kumaran <senthil at uthcode.com> added the comment:
Petr,
On
> the `separator` argument now allows multi-character strings, so you can parse 'a=1<SPLIT>b=2' with separator='<SPLIT>'. Was this intentional?
No, this was not intentional. The separator arg was just coice, for compatibility, if some wanted to use `;` like the some URLs that were shared as use case. We didn't restrict about what was allowed or length of the separator.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list