Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

urllib.parse.parse_qsl(): add an option to not consider semicolon (;) as separator #87141

Closed
vstinner opened this issue Jan 20, 2021 · 3 comments
Labels
3.10 only security fixes stdlib Python modules in the Lib dir

Comments

@vstinner
Copy link
Member

BPO 42975
Nosy @vstinner, @tirkarthi
Superseder
  • bpo-42967: [CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - ; as a query args separator
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2021-01-20.11:06:54.094>
    created_at = <Date 2021-01-20.10:52:29.082>
    labels = ['library', '3.10']
    title = 'urllib.parse.parse_qsl(): add an option to not consider semicolon (;) as separator'
    updated_at = <Date 2021-01-20.11:06:54.093>
    user = 'https://github.com/vstinner'

    bugs.python.org fields:

    activity = <Date 2021-01-20.11:06:54.093>
    actor = 'vstinner'
    assignee = 'none'
    closed = True
    closed_date = <Date 2021-01-20.11:06:54.094>
    closer = 'vstinner'
    components = ['Library (Lib)']
    creation = <Date 2021-01-20.10:52:29.082>
    creator = 'vstinner'
    dependencies = []
    files = []
    hgrepos = []
    issue_num = 42975
    keywords = []
    message_count = 3.0
    messages = ['385327', '385328', '385331']
    nosy_count = 2.0
    nosy_names = ['vstinner', 'xtreak']
    pr_nums = []
    priority = 'normal'
    resolution = 'duplicate'
    stage = 'resolved'
    status = 'closed'
    superseder = '42967'
    type = None
    url = 'https://bugs.python.org/issue42975'
    versions = ['Python 3.10']

    @vstinner
    Copy link
    Member Author

    urllib.parse.parse_qsl() uses "&" *and* ";" as separators:

    >>> urllib.parse.parse_qsl("a=1&b=2&c=3")
    [('a', '1'), ('b', '2'), ('c', '3')]
    >>> urllib.parse.parse_qsl("a=1&b=2;c=3")
    [('a', '1'), ('b', '2'), ('c', '3')]

    But the W3C standards evolved and now suggest against considering semicolon (";") as a separator:

    https://www.w3.org/TR/2014/REC-html5-20141028/forms.html#url-encoded-form-data

    "This form data set encoding is in many ways an aberrant monstrosity, the result of many years of implementation accidents and compromises leading to a set of requirements necessary for interoperability, but in no way representing good design practices. In particular, readers are cautioned to pay close attention to the twisted details involving repeated (and in some cases nested) conversions between character encodings and byte sequences."

    "To decode application/x-www-form-urlencoded payloads (...) Let strings be the result of strictly splitting the string payload on U+0026 AMPERSAND characters (&)."

    Maybe we should even go further in Python 3.10 and only split at "&" by default, but let the caller to opt-in for ";" separator as well.

    @vstinner vstinner added 3.10 only security fixes stdlib Python modules in the Lib dir labels Jan 20, 2021
    @tirkarthi
    Copy link
    Member

    See also https://bugs.python.org/issue42967

    @vstinner
    Copy link
    Member Author

    Oh, I mark my issue as a duplicate of bpo-42967.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.10 only security fixes stdlib Python modules in the Lib dir
    Projects
    None yet
    Development

    No branches or pull requests

    2 participants