I executed CGIHTTPServer and requested the following URI,"http://localhost:8000/cgi-bin/test.py?k=aa%2F%2Fbb"to pass "aa//bb" as argument "k",but test.py received "aa/bb".I looked in CGIHTTPServer.py and found _url_collapse_path functiondiscards continuous slash letters even they are in the given parameters.

This bug seems to remain in Python 3.5.0.How to reproduce:1. Save the attached cgitest.py into cgi-bin directory and changed it to executable file by "chmod +x cgitest.py"2. Run CGIHTTPRequestHandler[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linuxType "help", "copyright", "credits" or "license" for more information.>>> import http.server>>> http.server.test(HandlerClass=http.server.CGIHTTPRequestHandler)3. Visithttp://localhost:8000/cgi-bin/cgitest.py by any browser.4. Input "a/b/c//d//e///f///g" to form named "p".5. The continuous slash letters are trimed and "a/b/c/d/e/f/g" is given to cgitest.py.

Yes it also seems to apply to Python 3.Perhaps you forgot your test script, so I made my own. After runningpython3 -m http.server --cgiThe response from the following URL has no double slashes to be seen:http://localhost:8000/cgi-bin/test.py//x//y//?k=aa%2F%2Fbb&//q//p//=//a//b//I am not a CGI expert, but I suspect the query string bits should have double slashes, but maybe the PATH_INFO is right not to (see RFC 3875).

I think this is a bug. According to the rfcs, "/" is a reserved character in query component and continuous "/" in query component may be invalid and how to deal with it depends on the server. But encoded "/", %2F, acts as data and should be preserved. And from rfc3875, QUERY_STRING must be passed encoded.I tested in apache2.4 with martin's script, query string is:('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//')In python's CGI server, it is:('QUERY_STRING', 'k=aa/bb&/q/p/=/a/b/'),

The path with query component are unquoted entirely and then pass into_url_collapse_path.I think this behaviour is wrong and according to rfc3875 query componentshould be left encoded in QUERY_STRING.This patch seems to solve the problem. It passes the tests and withmartin's script, it gets:('QUERY_STRING', 'k=aa%2F%2Fbb&//q//p//=//a//b//')has the same behaviour with apache.

It would be good to have a regression test case for this one too.

Add the testcase and use str.partition.

The patch looks like it will fix this particular bug without much negative impact. However there are plenty of other problems with this module’s URL handling, seeIssue 14567. I think the translate_path(), _url_collapse_path(), is_cgi(), run_cgi(), etc functions all need a good rewrite.Anyway it might be worth going ahead and committing this straight away, whether or not anyone is motivated to fix the wider issue later on.

Yes, there seems to still exist some defects not conforming to thespecification. I would like to investigate it. Maybe I can proposea patch for it.

New changeset634fe6a90e0c by Martin Panter in branch '3.4':Issue#24657: Prevent CGIRequestHandler from collapsing the URL queryhttps://hg.python.org/cpython/rev/634fe6a90e0cNew changesetba1e3c112e42 by Martin Panter in branch '3.5':Issues#25232,#24657: Merge two CGI server fixes from 3.4 into 3.5https://hg.python.org/cpython/rev/ba1e3c112e42New changeset88918f2a54df by Martin Panter in branch '3.5':Issues#25232,#24657: Use new enum status to match rest of testshttps://hg.python.org/cpython/rev/88918f2a54dfNew changeset0f03023d4318 by Martin Panter in branch 'default':Issues#25232,#24657: Merge two CGI server fixes from 3.5https://hg.python.org/cpython/rev/0f03023d4318New changeset3c006ee38287 by Martin Panter in branch 'default':Issues#25232,#24657: Add NEWS to 3.6.0a1 sectionhttps://hg.python.org/cpython/rev/3c006ee38287

New changeseta4302005f9a2 by Martin Panter in branch '2.7':Issue#24657: Prevent CGIRequestHandler from collapsing the URL queryhttps://hg.python.org/cpython/rev/a4302005f9a2

Thanks everyone for the reports and patches. There were a couple of subtle compatibility tweaks needed for the 3.4 and 2.7 branches, but I think I got them all.