urls.encoding: only split query params on &.

html5: recommends only &.
html4: for a little while suggested supporting both & and ;

splitting on both caused CVE-2021-23336 to be filed against cpython

diff --git a/basis/urls/encoding/encoding-tests.factor b/basis/urls/encoding/encoding-tests.factor
index 16bf78e201b116eafbcbba655c01e7561924aa92..0fbb3f8753f596198884c24ea9d6b6e2d66f3227 100644 (file)
--- a/basis/urls/encoding/encoding-tests.factor
+++ b/basis/urls/encoding/encoding-tests.factor
@@ -29,7 +29,7 @@ USING: kernel linked-assocs sequences tools.test urls.encoding ;
 
 { LH{ { "a" { "b" "c" } } } } [ "a=b&a=c" query>assoc ] unit-test
 
-{ LH{ { "a" { "b" "c" } } } } [ "a=b;a=c" query>assoc ] unit-test
+{ LH{ { "a" "b;a=c" } } } [ "a=b;a=c" query>assoc ] unit-test
 
 { LH{ { "c" "d" } { "a" "b" } { "e" "f" } } } [ "c=d&a=b&e=f" query>assoc ] unit-test
 
@@ -46,4 +46,4 @@ USING: kernel linked-assocs sequences tools.test urls.encoding ;
 { t } [ "?x=test" [ encode-uri decode-uri ] keep sequence= ] unit-test
 { t } [ "шеллы" [ encode-uri decode-uri ] keep sequence= ] unit-test
 { t } [ "?x=test" [ encode-uri-component decode-uri-component ] keep sequence= ] unit-test
-{ t } [ "шеллы" [ encode-uri-component decode-uri-component ] keep sequence= ] unit-test
\ No newline at end of file
+{ t } [ "шеллы" [ encode-uri-component decode-uri-component ] keep sequence= ] unit-test

diff --git a/basis/urls/encoding/encoding.factor b/basis/urls/encoding/encoding.factor
index 5101e8fac87031b8371b02101c3d78890e7329fc..70f989f22b603c396c7af32455a7a4fca52174b3 100644 (file)
--- a/basis/urls/encoding/encoding.factor
+++ b/basis/urls/encoding/encoding.factor
@@ -105,7 +105,7 @@ PRIVATE>
 
 : query>assoc ( query -- assoc )
     dup [
-        "&;" split <linked-hash> [
+        "&" split <linked-hash> [
             [
                 [ "=" split1 [ dup [ query-decode ] when ] bi@ swap ] dip
                 add-query-param