diff options
| author | Senthil Kumaran <skumaran@gatech.edu> | 2021-02-15 18:03:31 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-15 18:03:31 (GMT) |
| commit | c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (patch) | |
| tree | afacb993137021a44a30a87d55d8507c93963c22 /Doc/library/cgi.rst | |
| parent | 242f6c9ffe3dd8f613942d5364b816cc89c384be (diff) | |
| download | cpython-c9f07813ab8e664d8c34413c4fc2d4f86c061a92.zip cpython-c9f07813ab8e664d8c34413c4fc2d4f86c061a92.tar.gz cpython-c9f07813ab8e664d8c34413c4fc2d4f86c061a92.tar.bz2 | |
[3.9] bpo-42967: only use '&' as a query string separator (GH-24297) (#24528)
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.9] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
Diffstat (limited to 'Doc/library/cgi.rst')
| -rw-r--r-- | Doc/library/cgi.rst | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst index 4048592..e60a3f1 100644 --- a/Doc/library/cgi.rst +++ b/Doc/library/cgi.rst @@ -277,14 +277,14 @@ These are useful if you want more control, or if you want to employ some of the algorithms implemented in this module in other circumstances. -.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False) +.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&") Parse a query in the environment or from a file (the file defaults to - ``sys.stdin``). The *keep_blank_values* and *strict_parsing* parameters are + ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are passed to :func:`urllib.parse.parse_qs` unchanged. -.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace") +.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&") Parse input of type :mimetype:`multipart/form-data` (for file uploads). Arguments are *fp* for the input file, *pdict* for a dictionary containing @@ -303,6 +303,9 @@ algorithms implemented in this module in other circumstances. Added the *encoding* and *errors* parameters. For non-file fields, the value is now a list of strings, not bytes. + .. versionchanged:: 3.9.2 + Added the *separator* parameter. + .. function:: parse_header(string) |