[Patches] [ python-Patches-508665 ] Improvement of cgi.parse_qsl function

Sun Mar 21 17:28:41 EST 2004

Patches item #508665, was opened at 2002-01-25 12:23
Message generated for change (Comment added) made by bcannon
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=508665&group_id=5470

Category: None
Group: None
>Status: Closed
>Resolution: Accepted
Priority: 5
Submitted By: Christoph Zwerschke (cito)
Assigned to: Brett Cannon (bcannon)
Summary: Improvement of cgi.parse_qsl function

Initial Comment:
I found the parsing function "parse_qsl" in the 
module "cgi" to have some flaws. Especially, empty 
names are allowed, even if empty values are explicitly 
disallowed. If the latter are allowed, "?name=" is 
accepted, while "?name" is ignored. Often you want to 
use links like "?logout" or "?help". This is not 
possible, even if empty values are explicitly allowed. 
Also, "strict parsing" objects to "?name=", while it 
ignores "?name=a=b=c". My improvement suggestion:

------------- use ----------

for name_value in pairs:
    if strict_parsing:
        nv = name_value.split(&#039;=&#039;, 2)
        if len(nv) != 2 or not len(nv[0]):
            raise ValueError, "bad query field: %s" % 
`name_value`
    else:
        nv = name_value.split(&#039;=&#039;, 1).append(&#039;&#039;)
        if not len(nv[0]):
            continue
    if len(nv[1]) or keep_blank_values:
        name = urllib.unquote(nv[0].replace(&#039;+&#039;, &#039; &#039;))
        value = urllib.unquote(nv[1].replace(&#039;+&#039;, &#039; &#039;))
        r.append((name, value))

----------- instead of --------

for name_value in pairs:
    nv = name_value.split(&#039;=&#039;, 1)
    if len(nv) != 2:
        if strict_parsing:
            raise ValueError, "bad query field: %s" % 
`name_value`
        continue
    if len(nv[1]) or keep_blank_values:
        name = urllib.unquote(nv[0].replace(&#039;+&#039;, &#039; &#039;))
        value = urllib.unquote(nv[1].replace(&#039;+&#039;, &#039; &#039;))
        r.append((name, value))

----------------------------------------------------------------------

>Comment By: Brett Cannon (bcannon)
Date: 2004-03-21 14:28

Message:
Logged In: YES 
user_id=357491

The case for having a control-name with no equal sign has been fixed to 
be acceptable when allow_blank_values is true.

The case for having "name=a=b=c" was not changed, though.  I could 
not find anywhere to say that is actually illegal.  Also, the tests from 
test_cgi specifically test for this and allow it.

Fixed in Lib/cgi.py, rev. 1.78 .

----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2004-03-20 14:29

Message:
Logged In: YES 
user_id=31435

Brett, since you seemed to know something about this, how 
about closing it?  You just got the honor of having our oldest 
open patch assigned to you <wink>.

----------------------------------------------------------------------

Comment By: Christoph Zwerschke (cito)
Date: 2003-05-19 07:05

Message:
Logged In: YES 
user_id=193957

The problem with empty names is still the same.
Is this what you need?

cvs diff cgi.py (in directory C:\Temp\python\python\dist\src\Lib\)
Index: cgi.py
================================================
===================
RCS file: /cvsroot/python/python/dist/src/Lib/cgi.py,v
retrieving revision 1.76
diff -r1.76 cgi.py
212,214c212,214
<         nv = name_value.split('=', 1)
<         if len(nv) != 2:
<             if strict_parsing:
---
>         if strict_parsing:
>             nv = name_value.split('=', 2)
>             if len(nv) != 2 or not len(nv[0]):
216c216,221
<             continue
---
>         else:
>             nv = name_value.split('=', 1)
>             if not len(nv[0]):
>                 continue
>             if len(nv) != 2:
>                 nv.append('')

----------------------------------------------------------------------

Comment By: Brett Cannon (bcannon)
Date: 2003-05-16 17:41

Message:
Logged In: YES 
user_id=357491

The issue of "name=" compared to "name=a=b=c" has changed; both are 
allowed under strict parsing while "name" is not.  The isue with "name" not 
being made a key with a blank value is still there.

Christoph, any chance you can create a patch against the CVS version of cgi?

----------------------------------------------------------------------

Comment By: Christoph Zwerschke (cito)
Date: 2002-01-25 12:41

Message:
Logged In: YES 
user_id=193957

-------- better use: ---------- 

<pre>

for name_value in pairs:
    if strict_parsing:
        nv = name_value.split('=', 2)
        if len(nv) != 2 or not len(nv[0]):
            raise ValueError, "bad query field: %s" % 
`name_value`
    else:
        nv = name_value.split('=', 1)
        if not len(nv[0]):
            continue
        if len(nv) != 2:
            nv.append('')
    if len(nv[1]) or keep_blank_values:
        name = urllib.unquote(nv[0].replace('+', ' '))
        value = urllib.unquote(nv[1].replace('+', ' '))
        r.append((name, value))

</pre>

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=508665&group_id=5470