Issue #2873 resolved

_parse_rfc1738_args removes '+' symbol from password

Anonymous created an issue

AFAIK, '+' symbol only needs to be unquoted to separate form values from URL. But why function _parse_rfc1738_args in sqlalchemy/lib/sqlalchemy/engine/ uses unquote_plus on password!? This is wrong, I think.

Following lines of code are replacing '+' symbol in password with space causing database connection to eventually fail.

if components'password' is not None: components'password' = \ util.unquote_plus(components'password')

Comments (6)

  1. Michael Bayer repo owner

    I've no idea why this has never been pointed out before and the RFC is pretty unambiguous about it. Fortunately you posted this before 0.9 final was released so we have a chance to update this, changed in 2800e34710672b408fa4a7bdd. For prior versions you can of course go with a URL-encoded plus sign.

  2. Michael Bayer repo owner
    • removed status
    • changed status to open
    • marked as blocker

    screwed up again:

    The user name (and password), if present, are followed by a commercial at-sign "@". Within the user and password field, any ":", "@", or "/" must be encoded.

  3. Log in to comment