FWIW, a surprising amount of things rely on treating ';' as a valid separator in the standard test suite. From just a cursory look: test_cgi test_urlparse A change in the public API of urlparse will also require a change in cgi.py's FieldStorage, FieldStorage.read_multi, parse and parse_multipart to expose that parameter since those functions forward arguments directly to urllib.parse.parse_qs internally. If we backport this, it seems that we will *also* need to backport all those changes to cgi's public API. Otherwise, just backporting the security fix part without allowing the user to switch would break existing code. Just my 2 cents on the issue. I'm not too familiar with security fixes in cpython anyways ;).