[New-bugs-announce] [issue33008] urllib.request.parse_http_list incorrectly strips backslashes

W. Trevor King report at bugs.python.org
Tue Mar 6 01:51:56 EST 2018 

New submission from W. Trevor King <wking at tremily.us>:

Python currently strips backslashes from inside quoted strings:

  $ echo 'a="b\"c",d=e' | python3 -c 'from sys import stdin; from urllib.request import parse_http_list; print(parse_http_list(stdin.read()))'
  ['a="b"c"', 'd=e']

It should be printing:

  ['a="b\"c"', 'd=e']

The bug is this continue [1], which should be removed.  This was not a problem with the original implementation [2].  It was introduced in [3] as a fix for #735248 with explicit tests asserting the broken behavior [3].  Stripping backslashes from the insides of quoted strings is not appropriate, because it breaks explicit unquoting with email.utils.unquote [4]:

  import email.utils
  import urllib.request
  list = r'"b\\"c"'
  entry = urllib.request.parse_http_list(list)[0]
  entry  # '"b\\"c"', should be '"b\\\\"c"'
  email.utils.unquote(entry)  # 'b"c', should be 'b\\"c'

I'm happy to file patches against the various branches if that would help, but as a one-line removal (plus adjusting the tests), it might be easier if a maintainer files the patches.

[1]: https://github.com/python/cpython/blob/v3.7.0b2/Lib/urllib/request.py#L1420
[2]: https://github.com/python/cpython/commit/6d7e47b8ea1b8cf82927dacc364689b8eeb8708b#diff-33f7983ed1a69d290366fe426880581cR777
[3]: https://github.com/python/cpython/commit/e1b13d20199f79ffd3407bbb14cc09b1b8fd70d2#diff-230a8abfedeaa9ae447490df08172b15R52
[4]: https://docs.python.org/3.5/library/email.util.html#email.utils.unquote

----------
components: Library (Lib)
messages: 313308
nosy: labrat
priority: normal
severity: normal
status: open
title: urllib.request.parse_http_list incorrectly strips backslashes
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33008>
_______________________________________

More information about the New-bugs-announce mailing list