Add optional flag for quoting fields

[lukasz-madon]

What do these changes do?

Add a flag for quoting fields.

RFC standard requires all fields to be US-ASCII. Additional quote
may provide extra security (RFC-1806 p. 2.3), but does not allow
for interoperability with API that requires ASCII characters outside
quote set e.g. emails[] becomes emails%5B%5D

Are there changes in behavior for the user?

There will be no change for current users (the parameter defaults to True). Users that want to skip quoting can pass the flag to constructor.

form = helpers.FormData(quote_fields=False)

Related issue number

fixes #903

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes

[asvetlov]

Looks good.
@lukasz-madon would you add documentation update also?

[lukasz-madon]

Actually, the problem is a bit bigger. Aiohttp doesn't implement specification properly see http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.19.5.1

Field can be a token (a limited ascii set) OR ascii string inside a quotation mark. Aiohttp only allows tokens. I think this should be a default behaviour, but it may break if users want to update the library.

[jchampio]

@lukasz-madon: You'll want to find the latest MIME RFCs to point to instead. Not only is RFC 2616 obsolete, but I don't think it ever applied to multipart payloads to begin with.

https://tools.ietf.org/html/rfc7578#section-4.2, https://tools.ietf.org/html/rfc2183, and https://tools.ietf.org/html/rfc2231 might be good starting points? I am not a MIME expert...

[lukasz-madon]

@jchampio not a MIME expert, but looking at RFC and other implementations filename should allow any US-ASCII inside "" https://github.com/pallets/werkzeug/blob/master/tests/test_http.py#L250 https://github.com/pallets/werkzeug/blob/master/werkzeug/http.py#L180

[kxepal]

@lukasz-madon This case is invalid according test suite we used to implement Content-Disposition parser. Though major part of browsers allows that, the spec says the other.

[fafhrd91]

@kxepal thoughts?

[kxepal]

Hm...I was wrong in previous message about it's wrong - I miss the quotes in test.

@fafhrd91 need a bit time to make sure that's correct, but so far LGFM.

[fafhrd91]

@kxepal merge whenever ready

[kxepal]

@fafhrd91 ok

[fafhrd91]

@kxepal i need you to make a decision

[kxepal]

@fafhrd91 Sorry, I forgot about.

[fafhrd91]

Thanks!

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.