-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace cgi.FieldStorage
with multipart
#466
base: main
Are you sure you want to change the base?
Conversation
Do you have a comment to throw into the mix here about the pros/cons of this versus using https://pypi.org/project/legacy-cgi/ which arguably would be more bw-compat? For example, I have a thought we should ship a version that uses legacy-cgi to unblock folks potentially short-term, and then in a newer version move to multipart which would have likely some clear bw-incompat changes. But I'm typing all of this without being aware of if there are bw-incompat changes in this PR. I don't see those listed out so maybe I'm asking for that. |
There shouldn't be any major bw compat issues, I took care to keep the same behavior and interface. The only differences I'm aware of:
|
@mgorny pointed out that there's conflicting multipart packages. It seems like Another option is vendoring |
I would be a fan of vendoring it if the test suite impact for webob isn’t too bad. Either way this doesn’t really feel like our problem. |
I'll give a shot at vendoring it. First time doing something like this, any best practices I should be aware of? |
waitress vendors asyncore as an example. |
Small snag: multipart has since released a v1, which is a significantly stricter parser and only accepts CRLF newlines. I've had to update a few tests that this broke. The author claims this should not affect real-world usecases.
defnull/multipart#55 (comment) Additionally, we have another backwards incompatibility to add to the list: Fields with no name have their name set to an empty string. ( |
The |
Hey @defnull, thanks for popping in! Good to know that name is mandatory per the RFCs. Since this PR seems like it will be part of the 2.0 release (if it gets merged), I think it makes sense to have a minor break so we can be in-line with both the standards and multipart's functionality. |
@mmerickel I've vendored multipart and all its tests. 100% coverage. Excluded the vendored files from linting to remain as close as possible to the original source. |
Once (or if) Kludex/python-multipart#166 gets merged, you can de-vendor again. |
hi folks, just a heads up there is a feedstock PR by the regro-bot to update the |
1.8.9 was released yesterday with support for 3.13 via legacy-cgi dependency. We will still evaluate this PR as part of the larger 2.0 release we’re working on. |
@mmerickel cheers, mate! Then I'll head over to the feedstock see if I can expedite the conda package deployment for 1.8.9 🍺 |
Gets rid of the deprecation warnings and resolves #437
This replaces dependencies on the stdlib
cgi
for the multipart package, as recommended by PEP-0594Unfortunately
MultiDict
exposesFieldStorage
objects publicly, and since that's no longer an option I created a newMultiDictFile
object that has the same shape. Beyond that, though,FieldStorage
is only an implementation detail and can be swapped out cleanly.There's one test now failing:
test_cgi_escaping_fix
. It looks to be special handling of a malformed multipart doc, but I can't figure out the motivation for it. It was originally added in d57f294 and the linked repository no longer exists, so the context is lost.As an aside:
FieldStorage
is an extremely weird API. The class represents both a single multipart part and the full multipart document.