[3.6] bpo-42967: only use '&' as a query string separator (GH-24297) #24532

orsenthil · 2021-02-15T03:05:48Z

[3.6] bpo-42967: only use '&' as a query string separator (GH-24297)

Backport of fcbe0cb to 3.6

https://bugs.python.org/issue42967

… urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Éric Araujo <merwok@netwok.org>. (cherry picked from commit fcbe0cb) Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com>

orsenthil · 2021-02-15T07:30:11Z

The idle test case failing seems more like an unrelated flake to me.

Fidget-Spinner · 2021-02-15T15:49:56Z

Other than the docs issues mentioned in #24528 , this LGTM!
The idlelib tests are from this line here https://github.com/python/cpython/blob/3.6/Lib/idlelib/idle_test/test_configdialog.py#L104 ,
which seem pretty unrelated.

AdamGold · 2021-02-15T16:20:35Z

Lib/cgi.py

        ctype, pdict = parse_header(environ['CONTENT_TYPE'])
        if ctype == 'multipart/form-data':
-            return parse_multipart(fp, pdict)
+            return parse_multipart(fp, pdict, separator=separator)


I believe we should change the parse_multipart signature here

Thank you!. Yes, I had noticed in my local, but then lost it. :( - And unfortunately, the existing tests didn't cover to catch too.

AdamGold · 2021-02-15T16:44:10Z

We are adding a separator parameter to FieldStorage but I can not see any call to FieldStorage. In other versions, that call is within parse_multipart (therefore the signature changed). I think we can remove separator from FieldStorage altogether (but there are tests for it in this version - so that's odd).

orsenthil · 2021-02-15T18:19:32Z

We are adding a separator parameter to FieldStorage but I can not see any call to FieldStorage.

It is being called from test() function, which gets called if cgi.py is used as __main__. There is a path to usage, so leaving the changes and sending to parse_qsl in the FieldStorage seems okay to me. (instead of removing it).

orsenthil · 2021-02-15T18:26:46Z

Hi Ned, the patch against 3.6 is complete. You could merge this when you get a chance and cut the release. Thank you.

…4297) (pythonGH-24532) bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. Co-authored-by: Éric Araujo <merwok@netwok.org> Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> Rebased for Python 2.7 by Michał Górny

the-knights-who-say-ni added the CLA signed label Feb 15, 2021

bedevere-bot mentioned this pull request Feb 15, 2021

bpo-42967: only use '&' as a query string separator #24297

Merged

bedevere-bot added the awaiting core review label Feb 15, 2021

orsenthil mentioned this pull request Feb 15, 2021

[3.9] bpo-42967: only use '&' as a query string separator (GH-24297) #24528

Merged

AdamGold suggested changes Feb 15, 2021

View reviewed changes

Fix the parse_multipart call.

cf5abe2

fix docs and make logic clearer

b4b1ac1

orsenthil requested a review from ned-deily February 15, 2021 18:21

orsenthil assigned ned-deily Feb 15, 2021

ned-deily merged commit 5c17dfc into python:3.6 Feb 15, 2021

bedevere-bot removed the awaiting core review label Feb 15, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[3.6] bpo-42967: only use '&' as a query string separator (GH-24297) #24532