urllib.parse.parse_qsl is accepting illegal characters #138284
Description
Bug report
Bug description:
urllib.parse.parse_qsl parses query strings containing the ^ and ` characters, even though these are not valid query characters under RFC 3986.
Observed behaviour:
parse_qsl('foo=^', strict_parsing=True)
# [('foo', '^')]
parse_qsl('bar=`', strict_parsing=True)
# [('bar', '`')]Expected behaviour:
According to RFC 3986, both ^ and ` must be percent-encoded if used in a URI. However, parse_qsl accepts them as-is without raising an error or warning. This could lead to applications treating invalid URLs as valid.
Detailed Code:
import sys
import platform
from urllib.parse import parse_qsl
def test_parse_qsl(query):
try:
result = parse_qsl(query, strict_parsing=True)
print(f"Query: {query!r} -> Parsed: {result}")
except ValueError as e:
print(f"Query: {query!r} -> Error: {e}")
# Test invalid query strings
test_parse_qsl("foo=^")
test_parse_qsl("bar=`")
# System information
os_name = platform.system()
os_release = platform.release()
python_impl = platform.python_implementation()
python_version = sys.version.split()[0]
python_compiler = platform.python_compiler()
print("\n--- System Information ---")
print(f"Python Implementation : {python_impl}")
print(f"Python Version : {python_version}")
print(f"Python Compiler : {python_compiler}")
print(f"Operating System : {os_name} {os_release}")
print(f"Machine : {platform.machine()}")
# Output:
# Query: 'foo=^' -> Parsed: [('foo', '^')]
# Query: 'bar=`' -> Parsed: [('bar', '`')]
# --- System Information ---
# Python Implementation : CPython
# Python Version : 3.13.1
# Python Compiler : GCC 14.2.0
# Operating System : Linux 4.14.174
# Machine : x86_64References:
-
Section 2.2 Reserved Characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
-
Section 2.3 Unreserved Characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.3
CPython versions tested on:
3.13
Operating systems tested on:
Linux