_parse_rfc1738_args removes '+' symbol from password

Issue #2873 resolved
Anonymous created an issue

AFAIK, '+' symbol only needs to be unquoted to separate form values from URL. But why function _parse_rfc1738_args in sqlalchemy/lib/sqlalchemy/engine/url.py uses unquote_plus on password!? This is wrong, I think.

Following lines of code are replacing '+' symbol in password with space causing database connection to eventually fail.

if components'password' is not None: components'password' = \ util.unquote_plus(components'password')

Comments (6)

  1. Michael Bayer repo owner

    I've no idea why this has never been pointed out before and the RFC is pretty unambiguous about it. Fortunately you posted this before 0.9 final was released so we have a chance to update this, changed in 2800e34710672b408fa4a7bdd. For prior versions you can of course go with a URL-encoded plus sign.

  2. Michael Bayer repo owner
    • marked as blocker
    • changed status to open
    • removed status

    screwed up again:

    The user name (and password), if present, are followed by a commercial at-sign "@". Within the user and password field, any ":", "@", or "/" must be encoded.

  3. Log in to comment