[issue11269] cgi.FieldStorage forgets to unquote field names when parsing multipart/form-data
Glenn Linderman
report at bugs.python.org
Fri Feb 25 19:36:26 CET 2011
Glenn Linderman <v+python at g.nevcal.com> added the comment:
Just some comments for the historical record:
During the discussion of issue 4953 research and testing revealed that browsers send back their cgi data using the same charset as the page that they are responding to. So the only way that quoting would be necessary on field names would be if they were quoted funny, as in your example here. It is somewhat unlikely that people would go to the trouble of coding field names that contain " and ' and % characters, just to mess themselves up (which ones do that, depend on which quote character is used for the name in the HTML and whether the enctype is "multipart/form-data" or URL encoding).
And Firefox 3.6... provides
name=""%22"
and that presently works with Python 3.2 CGI! But that might mean that for Firefox 4.x, providing the "\"%22", CGI might pass through the "\"? And really, the dequoting must be incorrectly coded for the Firefox 3.6 to "work".
----------
nosy: +v+python
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11269>
_______________________________________
More information about the Python-bugs-list
mailing list