classification
Title: CGIHTTPServer: premature unescaping of query string
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: out of date
Dependencies: Superseder: CGIHTTPServer module discard continuous '/' letters from params given by GET method.
View: 24657
Assigned To: Nosy List: eric.smith, johnseman, martin.panter
Priority: normal Keywords:

Created on 2015-07-18 14:04 by johnseman, last changed 2015-11-11 05:48 by martin.panter. This issue is now closed.

Files
File name Uploaded Description Edit
test.cgi johnseman, 2015-07-18 14:04
Messages (4)
msg246900 - (view) Author: John S (johnseman) Date: 2015-07-18 14:04
I created a simple CGI script that outputs the query string passed to it:

```
#!/usr/bin/env python
import os
print 'Content-Type: text/html\n\n'
print os.environ['QUERY_STRING']
```
I saved it as cgi-bin/test.cgi and made it executable. I then ran `python -m CGIHTTPModule` and opened 
http://localhost:8000/cgi-bin/test.cgi?H%26M
in a web browser.

The output was H&M when it should have been H%26M

I tried with Python 2.7.5, 2.7.3 and 2.6.6 and they all correctly output H%26M.

The test.cgi file is attached.
msg246929 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2015-07-19 02:33
I would expect the cgi script to receive the unescaped values. Can you point to some reference that says otherwise?
msg246941 - (view) Author: John S (johnseman) Date: 2015-07-19 13:11
Image you had the following URL.

 http://localhost:8000/cgi-bin/test.cgi?q=Dolce%26Gabbana&p=1

os.environ['QUERY_STRING'] would hold the value 

 q=Dolce&Gabbana&p=1

If you ran the following code, you would be unable to get the value of the q paramater in full.

import cgi
form = cgi.FieldStorage()
print form["q"].value # Outputs Dolce without the Gabbbana
msg254474 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-11 05:48
The CGI server no longer unquotes the query string thanks to the fix for Issue 24657. The fix should be in the next (2.7.11) release.
History
Date User Action Args
2015-11-11 05:48:59martin.pantersetstatus: open -> closed

superseder: CGIHTTPServer module discard continuous '/' letters from params given by GET method.
nosy: + martin.panter
versions: + Python 3.4, Python 3.5, Python 3.6
messages: + msg254474

type: behavior
resolution: out of date
stage: resolved
2015-07-19 13:11:02johnsemansetmessages: + msg246941
2015-07-19 02:33:33eric.smithsetnosy: + eric.smith
messages: + msg246929
2015-07-18 14:04:01johnsemancreate