On 20.01.2021 12:07, STINNER Victor wrote:
> Maybe we should even go further in Python 3.10 and only split at "&" by
> default, but let the caller to opt-in for ";" separator as well.
+1.
Personally, I've never seen URLs encoded with ";" as query parameter
separator in practice on the server sid
STINNER Victor added the comment:
Oops, I missed this issue. I just marked my bpo-42975 issue as a duplicate of
this one.
My message:
urllib.parse.parse_qsl() uses "&" *and* ";" as separators:
>>> urllib.parse.parse_qsl("a=1&b=2&c=3")
[('a', '1'), ('b', '2'), ('c', '3')]
>>> urllib.parse.pa
New submission from Adam Goldschmidt :
The urlparse module treats semicolon as a separator
(https://github.com/python/cpython/blob/master/Lib/urllib/parse.py#L739) -
whereas most proxies today only take ampersands as separators. Link to a blog
post explaining this vulnerability:
https://snyk.
