Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix [] was being escaped in query key position #445

Closed
wants to merge 3 commits into from
Closed

Fix [] was being escaped in query key position #445

wants to merge 3 commits into from

Conversation

Lonami
Copy link
Contributor

@Lonami Lonami commented May 3, 2020

What do these changes do?

These changes fix a bug where [] was being escaped when used in the key of queries, namely:

def test_with_query_no_escape_braces():
    url = URL("http://example.com/get")
    url2 = url.with_query([("a[]", "3"), ("a[]", "4")])
    assert str(url2) == "http://example.com/get?a[]=3&a[]=4"

Are there changes in behavior for the user?

Yes, if users were relying on unintended, buggy behaviour ([] being escaped) this change may cause issues in their code.

Related issue number

None as far as I know.

Checklist

  • I think the code is well written
  • Unit tests for the changes exist
  • Documentation reflects the changes
  • Add a new news fragment into the CHANGES folder
    • name it <issue_id>.<type> (e.g. 588.bugfix)
    • if you don't have an issue_id change it to the pr id after creating the PR
    • ensure type is one of the following:
      • .feature: Signifying a new feature.
      • .bugfix: Signifying a bug fix.
      • .doc: Signifying a documentation improvement.
      • .removal: Signifying a deprecation or removal of public API.
      • .misc: A ticket has been closed, but it is not of interest to users.
    • Make sure to use full sentences with correct case and punctuation, for example: Fix issue with non-ascii contents in doctest text files.

@codecov
Copy link

codecov bot commented May 3, 2020

Codecov Report

Merging #445 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #445   +/-   ##
=======================================
  Coverage   99.24%   99.25%           
=======================================
  Files           2        2           
  Lines         664      667    +3     
  Branches      152      152           
=======================================
+ Hits          659      662    +3     
  Misses          5        5           
Impacted Files Coverage Δ
yarl/__init__.py 99.00% <100.00%> (+<0.01%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9afd40d...0b59958. Read the comment docs.

@Lonami
Copy link
Contributor Author

Lonami commented May 3, 2020

No idea if the version will be 1.4.3, I used that because the last released one according to https://github.com/aio-libs/yarl/blob/master/CHANGES.rst (as of 2311d02) is 1.4.2. Perhaps it deserves a minor bump even though it's a bug-fix patch because it could potentially disrupt users?

@Lonami
Copy link
Contributor Author

Lonami commented May 10, 2020

Another bump for the weekend? (Forgot to do it yesterday.)

Comment on lines +640 to +641
The ``'[]'`` characters are not escaped in the keys of the query
because some endpoints expect those to be present when specifying arrays.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mind also referencing an RFC document that specifies this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not have any RFC on this, I only wrote this based on what you said in #443 (comment).

web-browsers use varname[] format for arrays

Copy link
Member

@webknjaz webknjaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I've done some research and it turns out I was wrong. The square brackets are supposed to be encoded:

PHP hack uses them to turn input values into arrays but the client-side still encodes them.

I've checked it in Chrome and verified that it does encode []. That being said, raw [/] are only allowed as a part of the host section to represent IPv6 addresses.

@webknjaz webknjaz closed this May 11, 2020
@Lonami
Copy link
Contributor Author

Lonami commented May 11, 2020

Okay, thanks for the investigation. So there's nothing for me to fix in #443 with regards to this and [] should be escaped.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants