diff options
| author | Nick Pope <nick@nickpope.me.uk> | 2021-02-16 10:14:17 +0000 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-02-18 10:15:30 +0100 |
| commit | 8f6d431b08cbb418d9144b976e7b972546607851 (patch) | |
| tree | 35d315127b71d1927f311e9b506bbe87b960727f /django/utils/http.py | |
| parent | 536d1174bba83a03f4d417b238918f52536da83b (diff) | |
[3.1.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl().
Diffstat (limited to 'django/utils/http.py')
| -rw-r--r-- | django/utils/http.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index c1005458e7..bc6aade3ef 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -42,7 +42,7 @@ ASCTIME_DATE = _lazy_re_compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" -FIELDS_MATCH = _lazy_re_compile('[&;]') +FIELDS_MATCH = _lazy_re_compile('&') @keep_lazy_text |