urllib.parse.parse_qsl now raises ValueError if illegal characters is passed

Author: Davda-James

Lib/test/test_urlparse.py

@@ -1227,6 +1227,13 @@ def test_parse_qs_encoding(self):
                                                           errors="ignore")
         self.assertEqual(result, {'key': ['\u0141-']})
 
+    def test_qsl_strict_parsing_raises(self):
+        with self.assertRaises(ValueError):
+            urllib.parse.parse_qsl("foo", strict_parsing=True)
+
+        with self.assertRaises(ValueError):
+            urllib.parse.parse_qsl(b"foo", strict_parsing=True)
+            
     def test_parse_qsl_encoding(self):
         result = urllib.parse.parse_qsl("key=\u0141%E9", encoding="latin-1")
         self.assertEqual(result, [('key', '\u0141\xE9')])

Lib/urllib/parse.py

@@ -91,6 +91,9 @@
 # Unsafe bytes to be removed per WHATWG spec
 _UNSAFE_URL_BYTES_TO_REMOVE = ['\t', '\r', '\n']
 
+# Allowed valid characters in parse_qsl
+_VALID_QUERY_CHARS = re.compile(r"^[A-Za-z0-9\-._~!$&'()*+,;=:@/?%]*$") 
+
 def clear_cache():
     """Clear internal performance caches. Undocumented; some tests want it."""
     urlsplit.cache_clear()
@@ -854,6 +857,11 @@ def _unquote(s):
             name, has_eq, value = name_value.partition(eq)
             if not has_eq and strict_parsing:
                 raise ValueError("bad query field: %r" % (name_value,))
+            if strict_parsing:
+                # Validate RFC3986 characters
+                to_check = (name_value.decode() if isinstance(name_value, bytes) else name_value)
+                if not _VALID_QUERY_CHARS.match(to_check):
+                    raise ValueError(f"Invalid characters in query string per RFC 3986: {name_value!r}")
             if value or keep_blank_values:
                 name = _unquote(name)
                 value = _unquote(value)