From fd6b6afd5959b638c62dbf4839ccff97e7f7dfda Mon Sep 17 00:00:00 2001 From: Nick Pope Date: Tue, 16 Feb 2021 10:14:17 +0000 Subject: [2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl(). --- django/utils/http.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'django/utils') diff --git a/django/utils/http.py b/django/utils/http.py index de1ea71368..74bc5cb8ab 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -41,7 +41,7 @@ ASCTIME_DATE = re.compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" -FIELDS_MATCH = re.compile('[&;]') +FIELDS_MATCH = re.compile('&') @keep_lazy_text -- cgit v1.3