_parse_rfc1738_args removes '+' symbol from password

Issue #2873 resolved

Former user created an issue 2013-11-23

AFAIK, '+' symbol only needs to be unquoted to separate form values from URL. But why function _parse_rfc1738_args in sqlalchemy/lib/sqlalchemy/engine/url.py uses unquote_plus on password!? This is wrong, I think.

Following lines of code are replacing '+' symbol in password with space causing database connection to eventually fail.

if components'password' is not None: components'password' = \ util.unquote_plus(components'password')

Comments (6)

Mike Bayer repo owner
- changed milestone to 0.9.0
- changed status to resolved
I've no idea why this has never been pointed out before and the RFC is pretty unambiguous about it. Fortunately you posted this before 0.9 final was released so we have a chance to update this, changed in 2800e34710672b408fa4a7bdd. For prior versions you can of course go with a URL-encoded plus sign.
- 2013-11-24T18:13:34+00:00
Mike Bayer repo owner
- marked as blocker
- changed status to open
- removed status
screwed up again:

The user name (and password), if present, are followed by a commercial at-sign "@". Within the user and password field, any ":", "@", or "/" must be encoded.
- 2013-11-25T14:25:53+00:00
Mike Bayer repo owner
adjusted in 6029496bd3fb78caeab349ef8df5b58f. I'm still not clear on the parsing side, do we unconditonally deencode any %XX symbol? I'd assume so, that's what it's doing.

Will send a new tweet but if folks can tell me this is right finally, that would help.
- 2013-11-25T14:49:15+00:00
Mike Bayer repo owner
- changed status to resolved
- 2013-11-25T14:49:30+00:00
Mike Bayer repo owner
- removed milestone
Removing milestone: 0.9.0 (automated comment)
- 2014-02-23T18:15:13+00:00
Mike Bayer repo owner
Issue ~~#3077~~ was marked as a duplicate of this issue.
- 2014-06-09T22:26:26+00:00
Log in to comment

Assignee: Mike Bayer

Type: bug

Priority: blocker

Status: resolved

Component: engine

Milestone: –

Votes: 0

Watchers: 0