bpo-43910 Fix handling of quoted values in cgi.parse_header #25519
Conversation
Signed-off-by: Mark Gordon <msg555@gmail.com>
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). CLA MissingOur records indicate the following people have not signed the CLA: For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
|
This PR is stale because it has been open for 30 days with no activity. |
|
@msg555, thanks for the PR. Unfortunately, the cgi module is now deprecated following the acceptance of PEP 594, so bugfixes and improvements for this module will no longer be accepted. I am therefore closing this PR. I hope that this does not dissuade you from contributing to CPython in the future |
Updates the logic in cgi.parse_header to do a proper scan over the string managing the parse state properly. This corrects cases where a quoted value ends with a backslash character. This PR also correctly unescapes characters other than the backslash or double quote character by replacing them with the octet literal following a backslash in a quoted string (although according to the spec clients should not quote anything other than those two characters).
The goal is to recognize the language detailed in https://www.w3.org/Protocols/rfc1341/4_Content-Type.html (with additional details on quoted-string at https://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-16.html#rfc.section.3.2.1.p.3 ).
Note that this method has no validation that the header value is well formed and always returns a value. Do to this we recognize a slightly larger language that looks something like
This also eliminates an unnecessary quadratic loop (that was also the source of the correctness problem)
https://bugs.python.org/issue43910