This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: urllib.parse.parse_qsl(): add an option to not consider semicolon (;) as separator
Type: Stage: resolved
Components: Library (Lib) Versions: Python 3.10
Status: closed Resolution: duplicate
Dependencies: Superseder: [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
View: 42967
Assigned To: Nosy List: vstinner, xtreak
Priority: normal Keywords:

Created on 2021-01-20 10:52 by vstinner, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg385327 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-01-20 10:52
urllib.parse.parse_qsl() uses "&" *and* ";" as separators:

>>> urllib.parse.parse_qsl("a=1&b=2&c=3")
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urllib.parse.parse_qsl("a=1&b=2;c=3")
[('a', '1'), ('b', '2'), ('c', '3')]

But the W3C standards evolved and now suggest against considering semicolon (";") as a separator:

"This form data set encoding is in many ways an aberrant monstrosity, the result of many years of implementation accidents and compromises leading to a set of requirements necessary for interoperability, but in no way representing good design practices. In particular, readers are cautioned to pay close attention to the twisted details involving repeated (and in some cases nested) conversions between character encodings and byte sequences."

"To decode application/x-www-form-urlencoded payloads (...) Let strings be the result of strictly splitting the string payload on U+0026 AMPERSAND characters (&)."

Maybe we should even go further in Python 3.10 and only split at "&" by default, but let the caller to opt-in for ";" separator as well.
msg385328 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python committer) Date: 2021-01-20 10:56
See also
msg385331 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2021-01-20 11:06
Oh, I mark my issue as a duplicate of bpo-42967.
Date User Action Args
2022-04-11 14:59:40adminsetgithub: 87141
2021-01-20 11:06:54vstinnersetstatus: open -> closed
superseder: [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator
messages: + msg385331

resolution: duplicate
stage: resolved
2021-01-20 10:56:11xtreaksetnosy: + xtreak
messages: + msg385328
2021-01-20 10:52:29vstinnercreate