Discussion:
[issue24661] CGIHTTPServer: premature unescaping of query string
John S
2015-07-18 14:04:01 UTC
Permalink
New submission from John S:

I created a simple CGI script that outputs the query string passed to it:

```
#!/usr/bin/env python
import os
print 'Content-Type: text/html\n\n'
print os.environ['QUERY_STRING']
```
I saved it as cgi-bin/test.cgi and made it executable. I then ran `python -m CGIHTTPModule` and opened
http://localhost:8000/cgi-bin/test.cgi?H%26M
in a web browser.

The output was H&M when it should have been H%26M

I tried with Python 2.7.5, 2.7.3 and 2.6.6 and they all correctly output H%26M.

The test.cgi file is attached.

----------
components: Library (Lib)
files: test.cgi
messages: 246900
nosy: johnseman
priority: normal
severity: normal
status: open
title: CGIHTTPServer: premature unescaping of query string
versions: Python 2.7
Added file: http://bugs.python.org/file39943/test.cgi

_______________________________________
Python tracker <***@bugs.python.org>
<http://bugs.python.org/issue24661>
_______________________________________
Eric V. Smith
2015-07-19 02:33:33 UTC
Permalink
Eric V. Smith added the comment:

I would expect the cgi script to receive the unescaped values. Can you point to some reference that says otherwise?

----------
nosy: +eric.smith

_______________________________________
Python tracker <***@bugs.python.org>
<http://bugs.python.org/issue24661>
_______________________________________
John S
2015-07-19 13:11:02 UTC
Permalink
John S added the comment:

Image you had the following URL.

http://localhost:8000/cgi-bin/test.cgi?q=Dolce%26Gabbana&p=1

os.environ['QUERY_STRING'] would hold the value

q=Dolce&Gabbana&p=1

If you ran the following code, you would be unable to get the value of the q paramater in full.

import cgi
form = cgi.FieldStorage()
print form["q"].value # Outputs Dolce without the Gabbbana

----------

_______________________________________
Python tracker <***@bugs.python.org>
<http://bugs.python.org/issue24661>
_______________________________________
Martin Panter
2015-11-11 05:48:59 UTC
Permalink
Martin Panter added the comment:

The CGI server no longer unquotes the query string thanks to the fix for Issue 24657. The fix should be in the next (2.7.11) release.

----------
nosy: +martin.panter
resolution: -> out of date
stage: -> resolved
status: open -> closed
superseder: -> CGIHTTPServer module discard continuous '/' letters from params given by GET method.
type: -> behavior
versions: +Python 3.4, Python 3.5, Python 3.6

_______________________________________
Python tracker <***@bugs.python.org>
<http://bugs.python.org/issue24661>
_______________________________________

Loading...