Context Navigation

Modify ↓

#13758 closed defect (fixed)

ValueError raised when receiving non-strict query string for POST method if multipart package installed

Reported by:	Jun Omae	Owned by:	Jun Omae
Priority:	normal	Milestone:	1.6.1
Component:	web frontend	Version:	1.6
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:	Fixed `ValueError` raised when receiving non-strict query string for POST method if `multipart` package installed.
API Changes:
Internal Changes:

Description

ValueError: bad query field: 'or' raised if sending non-strict query string for POST method like the following:

$ curl -sv -o /dev/null -d 'type=defect&or&owner=john' http://localhost:3000/tracenv/wiki
*   Trying 127.0.0.1:3000...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 3000 (#0)
> POST /tracenv/wiki HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Length: 25
> Content-Type: application/x-www-form-urlencoded
>
} [25 bytes data]
* upload completely sent off: 25 out of 25 bytes

21:24:06 Trac[main] ERROR: [127.0.0.1] Internal Server Error: <RequestWithSession "POST '/wiki'">, referrer None
Traceback (most recent call last):
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 609, in dispatch_request
    dispatcher.dispatch(req)
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 301, in dispatch
    raise e
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 237, in dispatch
    req.args.get('__FORM_TOKEN') != req.form_token:
    ^^^^^^^^
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 661, in __getattr__
    value = self.callbacks[name](self)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 643, in <lambda>
    'args': lambda req: arg_list_to_args(req.arg_list),
                                         ^^^^^^^^^^^^
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 661, in __getattr__
    value = self.callbacks[name](self)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 1019, in _parse_arg_list
    return list(parse_form_data(self.environ))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 497, in parse_form_data
    pairs = urllib.parse.parse_qsl(
            ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/urllib/parse.py", line 795, in parse_qsl
    raise ValueError("bad query field: %r" % (name_value,))
ValueError: bad query field: 'or'
127.0.0.1 - - [07/Jun/2024 21:24:07] "POST /tracenv/wiki HTTP/1.1" 500 -

If multipart package not installed, cgi.FieldStorage is used and no error is raised.

trac/web/api.py

diff --git a/trac/web/api.py b/trac/web/api.py
index 80cf2ede8..383db0a06 100644

                if multipart:
             data = environ['wsgi.input'].read(length)
             pairs = urllib.parse.parse_qsl(
                 str(data, 'utf-8'), keep_blank_values=True,
                 strict_parsing=True, encoding='utf-8', errors='strict')
+                strict_parsing=False, encoding='utf-8', errors='strict')
             for name, value in pairs:
                 _raise_if_null_bytes(name)
                 _raise_if_null_bytes(value)

Attachments (0)

Change History (1)

comment:1 by Jun Omae, 6 months ago

Release Notes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed

Fixed in [17820] and merged in [17821].

Modify Ticket

Change Properties

Summary:
Description:	`ValueError: bad query field: 'or'` raised if sending non-strict query string for POST method like the following: {{{ $ curl -sv -o /dev/null -d 'type=defect&or&owner=john' http://localhost:3000/tracenv/wiki * Trying 127.0.0.1:3000... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 3000 (#0) > POST /tracenv/wiki HTTP/1.1 > Host: localhost:3000 > User-Agent: curl/7.68.0 > Accept: / > Content-Length: 25 > Content-Type: application/x-www-form-urlencoded > } [25 bytes data] * upload completely sent off: 25 out of 25 bytes }}} {{{ 21:24:06 Trac[main] ERROR: [127.0.0.1] Internal Server Error: <RequestWithSession "POST '/wiki'">, referrer None Traceback (most recent call last): File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 609, in dispatch_request dispatcher.dispatch(req) File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 301, in dispatch raise e File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/main.py", line 237, in dispatch req.args.get('__FORM_TOKEN') != req.form_token: ^^^^^^^^ File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 661, in __getattr__ value = self.callbacks[name](self) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 643, in <lambda> 'args': lambda req: arg_list_to_args(req.arg_list), ^^^^^^^^^^^^ File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 661, in __getattr__ value = self.callbacks[name](self) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 1019, in _parse_arg_list return list(parse_form_data(self.environ)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/jun66j5/venv/trac/1.6/lib/python3.11/site-packages/trac/web/api.py", line 497, in parse_form_data pairs = urllib.parse.parse_qsl( ^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.11/urllib/parse.py", line 795, in parse_qsl raise ValueError("bad query field: %r" % (name_value,)) ValueError: bad query field: 'or' 127.0.0.1 - - [07/Jun/2024 21:24:07] "POST /tracenv/wiki HTTP/1.1" 500 - }}} If `multipart` package not installed, `cgi.FieldStorage` is used and no error is raised. {{{#!diff diff --git a/trac/web/api.py b/trac/web/api.py index 80cf2ede8..383db0a06 100644 --- a/trac/web/api.py +++ b/trac/web/api.py @@ -524,7 +524,7 @@ if multipart: data = environ['wsgi.input'].read(length) pairs = urllib.parse.parse_qsl( str(data, 'utf-8'), keep_blank_values=True, - strict_parsing=True, encoding='utf-8', errors='strict') + strict_parsing=False, encoding='utf-8', errors='strict') for name, value in pairs: _raise_if_null_bytes(name) _raise_if_null_bytes(value) }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Fixed `ValueError` raised when receiving non-strict query string for POST method if `multipart` package installed.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jun Omae.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jun Omae to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: