request.form contains '-C':'' when no QUERY_STRING in environ
Bug #257675 reported by
Sam Brauer
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Low
|
Unassigned |
Bug Description
I noticed that a mysterious form parameter named "-C" with an empty value was added to request.form when there were no other form parameters in the request. After some searching I saw that this was also a bug in Zope3 (https:/
However the fix was never backported to Zope2.
Attached is a patch to fix the problem in Zope2.
The patch was made against Zope-2.11.1-final.
Changed in zope2: | |
importance: | Undecided → Low |
Changed in zope2: | |
status: | New → Fix Committed |
Changed in zope2: | |
milestone: | none → 2.12.4 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The "-C" parameter comes from the standard python cgi module (line 452) which is used to parse http requests args. If the "QUERY_STRING" environment variable is not present, the program uses sys.argv[1].
With zope, sys.argv is (at least): ['/zope/ software/ home/python/ Zope2/Startup/ run.py' , '-C', '/my/instance/ home/etc/ zope.conf' ]; that's why we get the '-C' empty parameter.
I didn't check the history of the cgi.py module, so I don't know why sys.argv[1] is used (probably a trick?).
Anyway, your patch is okay but I think that it would be better to remove the "QUERY_STRING" key after the (Zope)FieldStorage instantiation: for instance, some applications may decide to check http parameters with an expression like environ. has_key( 'QUERY_ STRING' ) and thus get some value when none was expected.