diff options
| author | Nick Pope <nick@nickpope.me.uk> | 2021-02-16 10:14:17 +0000 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-02-18 10:27:25 +0100 |
| commit | fd6b6afd5959b638c62dbf4839ccff97e7f7dfda (patch) | |
| tree | 2176e04f6cb953e08db56295ddb3ea219da1d084 /django/utils/http.py | |
| parent | 226d8319181b94b093708b8cdd4ab5e257a79df6 (diff) | |
[2.2.x] Fixed CVE-2021-23336 -- Fixed web cache poisoning via django.utils.http.limited_parse_qsl().
Diffstat (limited to 'django/utils/http.py')
| -rw-r--r-- | django/utils/http.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/django/utils/http.py b/django/utils/http.py index de1ea71368..74bc5cb8ab 100644 --- a/django/utils/http.py +++ b/django/utils/http.py @@ -41,7 +41,7 @@ ASCTIME_DATE = re.compile(r'^\w{3} %s %s %s %s$' % (__M, __D2, __T, __Y)) RFC3986_GENDELIMS = ":/?#[]@" RFC3986_SUBDELIMS = "!$&'()*+,;=" -FIELDS_MATCH = re.compile('[&;]') +FIELDS_MATCH = re.compile('&') @keep_lazy_text |