[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator

[99717c59-66e9-4e07-93e9-a8e50a019e9e]

BPO	42967
Nosy	@malemburg, @gpshead, @orsenthil, @ned-deily, @mcepl, @merwok, @encukou, @ambv, @serhiy-storchaka, @pablogsal, @miss-islington, @ret2libc, @erlend-aasland, @Fidget-Spinner, @AdamGold
PRs	python/cpython#24271 python/cpython#24297 python/cpython#24528 python/cpython#24529 python/cpython#24531 python/cpython#24532 python/cpython#24536 python/cpython#24818 python/cpython#25344 python/cpython#25345
Files	CVE-2021-23336-only-amp-as-query-sep.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/orsenthil' closed_at = created_at = labels = ['type-security', '3.8', '3.9', '3.10', 'release-blocker', '3.7', 'library'] title = '[CVE-2021-23336] urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a query args separator' updated_at = user = 'https://github.com/AdamGold' ``` bugs.python.org fields: ```python activity = actor = 'vstinner' assignee = 'orsenthil' closed = True closed_date = closer = 'orsenthil' components = ['Library (Lib)'] creation = creator = 'AdamGold' dependencies = [] files = ['49839'] hgrepos = [] issue_num = 42967 keywords = ['patch'] message_count = 57.0 messages = ['385266', '385332', '385337', '385341', '385342', '385344', '385346', '385352', '385495', '385496', '385497', '385513', '385527', '385544', '385549', '385565', '385566', '385567', '385582', '385585', '385590', '385865', '386003', '386785', '386787', '386788', '386954', '386957', '386960', '386968', '386980', '387027', '387037', '387039', '387040', '387045', '387049', '387069', '387638', '387712', '387735', '387756', '388368', '388433', '388434', '388440', '388447', '388486', '388574', '390782', '390784', '390790', '391231', '405721', '405723', '405725', '405728'] nosy_count = 15.0 nosy_names = ['lemburg', 'gregory.p.smith', 'orsenthil', 'ned.deily', 'mcepl', 'eric.araujo', 'petr.viktorin', 'lukasz.langa', 'serhiy.storchaka', 'pablogsal', 'miss-islington', 'rschiron', 'erlendaasland', 'kj', 'AdamGold'] pr_nums = ['24271', '24297', '24528', '24529', '24531', '24532', '24536', '24818', '25344', '25345'] priority = 'release blocker' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue42967' versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10'] ```

[miss-islington]

New changeset 6ec2fb42f93660810952388e5c4018c197c17c8c by Miss Islington (bot) in branch '3.9': bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) https://github.com/python/cpython/commit/6ec2fb42f93660810952388e5c4018c197c17c8c

[4fce49d7-9c43-4783-b6f9-bd43eb64c326]

Did you upstream fixes for those packages?

Of course we did. Upstream first!

[orsenthil]

New changeset d5b80eb11b4812b4a579ce129ba4a10c5f5d27f6 by Miss Islington (bot) in branch '3.8': bpo-42967: coerce bytes separator to string in urllib.parse_qs(l) (GH-24818) (bpo-25345) https://github.com/python/cpython/commit/d5b80eb11b4812b4a579ce129ba4a10c5f5d27f6

[merwok]

erlandaasland you’ve been editing closed issues today (got messages from at least 2). maybe submitting old browser tabs with obsolete form data?

[erlend-aasland]

Yes, cleaning up ahmedsayeed1982 spam. I did my best to revert the nosy list, component, versions, and assigned to changes. What did I mess up?

[erlend-aasland]

See bpo-12168 for a similar cleanup by Eryk Sun. There was approx. 20 spammed issues. Eryk fixed most of them; I did a couple.

[merwok]

See the changelog entry for 2021-11-04 10:31:24 (and the other ticket where Guido just commented)

(and thanks for cleaning spam!)