Title: CGIHTTPServer: premature unescaping of query string
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: out of date
Dependencies: Superseder: CGIHTTPServer module discard continuous '/' letters from params given by GET method.
View: 24657
Assigned To: Nosy List: eric.smith, johnseman, martin.panter
Priority: normal Keywords:

Created on 2015-07-18 14:04 by johnseman, last changed 2015-11-11 05:48 by martin.panter. This issue is now closed.

File name Uploaded Description Edit
test.cgi johnseman, 2015-07-18 14:04
Messages (4)
msg246900 - (view) Author: John S (johnseman) Date: 2015-07-18 14:04
I created a simple CGI script that outputs the query string passed to it:

#!/usr/bin/env python
import os
print 'Content-Type: text/html\n\n'
print os.environ['QUERY_STRING']
I saved it as cgi-bin/test.cgi and made it executable. I then ran `python -m CGIHTTPModule` and opened 
in a web browser.

The output was H&M when it should have been H%26M

I tried with Python 2.7.5, 2.7.3 and 2.6.6 and they all correctly output H%26M.

The test.cgi file is attached.
msg246929 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2015-07-19 02:33
I would expect the cgi script to receive the unescaped values. Can you point to some reference that says otherwise?
msg246941 - (view) Author: John S (johnseman) Date: 2015-07-19 13:11
Image you had the following URL.


os.environ['QUERY_STRING'] would hold the value 


If you ran the following code, you would be unable to get the value of the q paramater in full.

import cgi
form = cgi.FieldStorage()
print form["q"].value # Outputs Dolce without the Gabbbana
msg254474 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2015-11-11 05:48
The CGI server no longer unquotes the query string thanks to the fix for Issue 24657. The fix should be in the next (2.7.11) release.
Date User Action Args
2015-11-11 05:48:59martin.pantersetstatus: open -> closed

superseder: CGIHTTPServer module discard continuous '/' letters from params given by GET method.
nosy: + martin.panter
versions: + Python 3.4, Python 3.5, Python 3.6
messages: + msg254474

type: behavior
resolution: out of date
stage: resolved
2015-07-19 13:11:02johnsemansetmessages: + msg246941
2015-07-19 02:33:33eric.smithsetnosy: + eric.smith
messages: + msg246929
2015-07-18 14:04:01johnsemancreate