- changed status to resolved
Arguments passed in URL to create_engine are not properly unescaped.
Suppose I have a Postgres database called 'mydatabase' running locally, and I want to connect to it as user 'george', but my password is 'apples/oranges'. The following fails, because the password has a forward slash in it:
engine = create_engine('postgres://george:apples/oranges@localhost/mydatabase')
The obvious mistake is that I haven't quoted the arguments I'm embedding into the URL. But if I do quote them, as follows:
engine = create_engine('postgres://george:apples%2Foranges@localhost/mydatabase')
then I am told that the password is incorrect. I think the solution is to call unquote_plus on all arguments passed as part of the connection URL, before passing them to the underlying connection creation code.
For the time being, I am using quote_plus on ingoing arguments, because it prevents someone from forging a malicious connection string. Either way, at the moment I can't have characters with special meaning for URLs in my username or password.
(I've tested this with a Postgres database, but not any other.)
Otherwise, thanks for a great library :) George
Comments (3)
-
repo owner -
repo owner - changed milestone to 0.4.0
Milestone next micropoint release deleted
-
repo owner - removed milestone
Removing milestone: 0.4.0 (automated comment)
- Log in to comment
hi -
please verify that the change made in changeset:1816 properly addresses this issue; reopen if needed.