I have a production application running flask==2.2.5 and werkzeug==2.2.3, need to upgrade the werkzeug package to version 2.3.8 or 3.0.1. But when I tested after updating, there is some change in the werkzeug package that is not mentioned in the change log which basically considers the ";" character along with "&" in the query string as a seprator and separates it out."&" was the only separator in the older versions. Does anyone know why this is happening or how to fix this?
Example:
For a sample request url - http://example.com/path?param1=p1value1¶m2=p2value1;p2value2
The expected output for request.params should be
ImmutableMultiDict([('param1', 'p1value1'), ('param2', 'p2value1;p2value2')])
But the output that I am getting is
ImmutableMultiDict([('param1', 'p1value1'), ('param2', 'p2value1', 'p2value2', '')])
As @John Bollinger mentioned,
Werkzeug v2.3.0 switched from its bespoke internal URL parsing code to standard urllib.parse. urllib.parse's query-string functions used to support both & and ; as query-parameter separators, but they don't any longer. They accept only one separator character, which defaults to &. Python 3.6 - 3.9, the change to query string parsing was applied separately in each version's revision history. For Python 3.8 you want at least v3.8.8.