[issue11269] cgi.FieldStorage forgets to unquote field names when parsing multipart/form-data
Sergey Schetinin
report at bugs.python.org
Tue Feb 22 01:48:26 CET 2011
Sergey Schetinin <sergey at maluke.com> added the comment:
I've dug into the RFCs and tested various browsers.
RFC 2388 (the one defining multipart/form-data) says:
Field names originally in non-ASCII character sets may be encoded
within the value of the "name" parameter using the standard method
described in RFC 2047.
RFC 2047 in turn defines the coding sometimes seen in email headers ("=?iso-8859-1?q?this is some text?=").
That means that this report is invalid. And I was misled by the bug that belongs to Google Chrome (which is the browser I was doing initial testing with).
I tested this with the following html form:
<form action="handle" method="POST" enctype="multipart/form-data">
<button name='"%22' type="submit" value="">Test</button>
</form>
Here are the headers submitted by various browsers:
IE 8:
Content-Disposition: form-data; name=""%22"
Firefox 4.0b11:
Content-Disposition: form-data; name="\"%22"
Chrome 9:
Content-Disposition: form-data; name="%22%22"
And the Chrome one is the one clearly invalid.
cgi still does no decoding of parameters as per RFC 2047, but browsers do not use that encoding for non-ASCII field names anyway (they just put the field names in UTF-8), so that might be unnecessary.
Please close this bug at your own judgement.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11269>
_______________________________________
More information about the Python-bugs-list
mailing list