According to rfc3986, section 3.4:

 The query component is indicated by the first question
 mark ("?") character and terminated by a number sign ("#") character
 or by the end of the URI.

 The characters slash ("/") and question mark ("?") may represent data
 within the query component.

But for CGIRequestHandler, it uses the content after the last ? as
query component. For uri http://localhost:8000/cgi-bin/test.py?a=b?c=d,
the QUERY_STRING is c=d.

Thanks for the report and patch. Would you be interested in making a new regression test for this bug?

While we are fixing this code, we might as well simplify that whole “if” block to

[rest, query] = rest.partition("?")

I add a testcase but I worry it's not in the right format. Please review it. Partition is a good choice here.

The test case looks okay to me. IMO using numbers for variable names (cgi_file4 etc) is a terrible idea, but I understand you are just conforming to the existing code :)

New changeset 969afbf501af by Martin Panter in branch '3.4':
Issue #25232: Fix CGIRequestHandler's splitting of URL query
https://hg.python.org/cpython/rev/969afbf501af

New changeset ba1e3c112e42 by Martin Panter in branch '3.5':
Issues #25232, #24657: Merge two CGI server fixes from 3.4 into 3.5
https://hg.python.org/cpython/rev/ba1e3c112e42

New changeset 88918f2a54df by Martin Panter in branch '3.5':
Issues #25232, #24657: Use new enum status to match rest of tests
https://hg.python.org/cpython/rev/88918f2a54df

New changeset 0f03023d4318 by Martin Panter in branch 'default':
Issues #25232, #24657: Merge two CGI server fixes from 3.5
https://hg.python.org/cpython/rev/0f03023d4318

New changeset 3c006ee38287 by Martin Panter in branch 'default':
Issues #25232, #24657: Add NEWS to 3.6.0a1 section
https://hg.python.org/cpython/rev/3c006ee38287

New changeset b12b30dc8617 by Martin Panter in branch '2.7':
Issue #25232: Fix CGIRequestHandler's splitting of URL query
https://hg.python.org/cpython/rev/b12b30dc8617