diff options
| author | Senthil Kumaran <senthil@uthcode.com> | 2021-02-15 18:15:02 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-15 18:15:02 (GMT) |
| commit | e3110c3cfbb7daa690d54d0eff6c264c870a71bf (patch) | |
| tree | f67e6458fe7f63f4136bcc26fc6318fce827adff /Misc | |
| parent | 7777ae2ff7ba04ad20424db4efcc67246ff27b95 (diff) | |
| download | cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.zip cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.gz cpython-e3110c3cfbb7daa690d54d0eff6c264c870a71bf.tar.bz2 | |
[3.8] bpo-42967: only use '&' as a query string separator (GH-24297) (#24529)
* bpo-42967: only use '&' as a query string separator (#24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in
urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default
instead of both ";" and "&" as allowed in earlier versions. An optional
argument seperator with default value "&" is added to specify the
separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297)
bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl().
urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator.
Co-authored-by: Éric Araujo <merwok@netwok.org>
Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com>
Co-authored-by: Éric Araujo <merwok@netwok.org>.
(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776)
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
* Update correct version information.
* fix docs and make logic clearer
Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>
Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com>
Diffstat (limited to 'Misc')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst new file mode 100644 index 0000000..f08489b --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst @@ -0,0 +1 @@ +Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator. |