[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) (#24529)

* bpo-42967: only use '&' as a query string separator (#24297) bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org> (cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776) * [3.8] bpo-42967: only use '&' as a query string separator (GH-24297) bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>. (cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776) Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> * Update correct version information. * fix docs and make logic clearer Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
author: Senthil Kumaran <senthil@uthcode.com> 2021-02-15 18:15:02 (GMT)
committer: GitHub <noreply@github.com> 2021-02-15 18:15:02 (GMT)
commit: e3110c3cfbb7daa690d54d0eff6c264c870a71bf (patch)
tree: f67e6458fe7f63f4136bcc26fc6318fce827adff /Doc/library
parent: 7777ae2ff7ba04ad20424db4efcc67246ff27b95 (diff)
download: cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.zip
cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.gz
cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.bz2
2 files changed, 28 insertions, 5 deletions
diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst
index 4048592..880074b 100644
--- a/Doc/library/cgi.rst
+++ b/Doc/library/cgi.rst
@@ -277,14 +277,16 @@ These are useful if you want more control, or if you want to employ some of the
 algorithms implemented in this module in other circumstances.
 
 
-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False)
+.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&")
 
    Parse a query in the environment or from a file (the file defaults to
-   ``sys.stdin``).  The *keep_blank_values* and *strict_parsing* parameters are
+   ``sys.stdin``).  The *keep_blank_values*, *strict_parsing* and *separator* parameters are
    passed to :func:`urllib.parse.parse_qs` unchanged.
 
+   .. versionchanged:: 3.8.8
+      Added the *separator* parameter.
 
-.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace")
+.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&")
 
    Parse input of type :mimetype:`multipart/form-data` (for  file uploads).
    Arguments are *fp* for the input file, *pdict* for a dictionary containing
@@ -303,6 +305,9 @@ algorithms implemented in this module in other circumstances.
       Added the *encoding* and *errors* parameters.  For non-file fields, the
       value is now a list of strings, not bytes.
 
+   .. versionchanged:: 3.8.8
+      Added the *separator* parameter.
+
 
 .. function:: parse_header(string)
 
diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
index 25e5cc1..fcad707 100644
--- a/Doc/library/urllib.parse.rst
+++ b/Doc/library/urllib.parse.rst
@@ -165,7 +165,7 @@ or on combining URL components into a URL string.
       now raise :exc:`ValueError`.
 
 
-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
 
    Parse a query string given as a string argument (data of type
    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a
@@ -190,6 +190,9 @@ or on combining URL components into a URL string.
    read. If set, then throws a :exc:`ValueError` if there are more than
    *max_num_fields* fields read.
 
+   The optional argument *separator* is the symbol to use for separating the
+   query arguments. It defaults to ``&``.
+
    Use the :func:`urllib.parse.urlencode` function (with the ``doseq``
    parameter set to ``True``) to convert such dictionaries into query
    strings.
@@ -201,8 +204,14 @@ or on combining URL components into a URL string.
    .. versionchanged:: 3.8
       Added *max_num_fields* parameter.
 
+   .. versionchanged:: 3.8.8
+      Added *separator* parameter with the default value of ``&``. Python
+      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
+      query parameter separator. This has been changed to allow only a single
+      separator key, with ``&`` as the default separator.
+
 
-.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&')
 
    Parse a query string given as a string argument (data of type
    :mimetype:`application/x-www-form-urlencoded`).  Data are returned as a list of
@@ -226,6 +235,9 @@ or on combining URL components into a URL string.
    read. If set, then throws a :exc:`ValueError` if there are more than
    *max_num_fields* fields read.
 
+   The optional argument *separator* is the symbol to use for separating the
+   query arguments. It defaults to ``&``.
+
    Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into
    query strings.
 
@@ -235,6 +247,12 @@ or on combining URL components into a URL string.
    .. versionchanged:: 3.8
       Added *max_num_fields* parameter.
 
+   .. versionchanged:: 3.8.8
+      Added *separator* parameter with the default value of ``&``. Python
+      versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as
+      query parameter separator. This has been changed to allow only a single
+      separator key, with ``&`` as the default separator.
+
 
 .. function:: urlunparse(parts)
author	Senthil Kumaran <senthil@uthcode.com>	2021-02-15 18:15:02 (GMT)
committer	GitHub <noreply@github.com>	2021-02-15 18:15:02 (GMT)
commit	e3110c3cfbb7daa690d54d0eff6c264c870a71bf (patch)
tree	f67e6458fe7f63f4136bcc26fc6318fce827adff /Doc/library
parent	7777ae2ff7ba04ad20424db4efcc67246ff27b95 (diff)
download	cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.zip cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.gz cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.bz2