[issue42967] Web cache poisoning - `;` as a query args separator
Marc-Andre Lemburg
report at bugs.python.org
Wed Jan 20 07:02:44 EST 2021
Marc-Andre Lemburg <mal at egenix.com> added the comment:
On 20.01.2021 12:07, STINNER Victor wrote:
> Maybe we should even go further in Python 3.10 and only split at "&" by default, but let the caller to opt-in for ";" separator as well.
+1.
Personally, I've never seen URLs encoded with ";" as query parameter
separator in practice on the server side.
The use of ";" was recommended in the HTML4 spec, but only in an
implementation side note:
https://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2
and not in the main reference:
https://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.13.4.1
Browsers are also pretty relaxed about seeing non-escaped ampersands in
link URLs and do the right thing, so the suggested work-around for
avoiding escaping is not really needed.
----------
nosy: +lemburg
title: [security] urllib.parse.parse_qsl(): Web cache poisoning - `;` as a query args separator -> Web cache poisoning - `;` as a query args separator
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42967>
_______________________________________
More information about the Python-bugs-list
mailing list