Reject non-str values in form data (#9292)

aio-libs · Sep 26, 2024 · d7cd061 · d7cd061
1 parent 56aa261
commit d7cd061
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/CHANGES/9292.breaking.rst b/CHANGES/9292.breaking.rst
@@ -0,0 +1 @@
+Started rejecting non string values in `FormData`, to avoid unexpected results -- by :user:`Dreamsorcerer`.
diff --git a/aiohttp/formdata.py b/aiohttp/formdata.py
@@ -101,6 +101,8 @@ def _gen_form_urlencoded(self) -> payload.BytesPayload:
         # form data (x-www-form-urlencoded)
         data = []
         for type_options, _, value in self._fields:
+            if not isinstance(value, str):
+                raise TypeError(f"expected str, got {value!r}")
             data.append((type_options["name"], value))
 
         charset = self._charset if self._charset is not None else "utf-8"

diff --git a/tests/test_client_session.py b/tests/test_client_session.py
@@ -207,6 +207,12 @@ async def test_merge_headers_with_list_of_tuples_duplicated_names(
     ]
 
 
+@pytest.mark.parametrize("obj", (object(), None))
+async def test_invalid_data(session: ClientSession, obj: object) -> None:
+    with pytest.raises(TypeError, match="expected str"):
+        await session.post("http://example.test/", data={"some": obj})
+
+
 async def test_http_GET(session: ClientSession, params: _Params) -> None:
     with mock.patch(
         "aiohttp.client.ClientSession._request", autospec=True, spec_set=True

diff --git a/tests/test_formdata.py b/tests/test_formdata.py
@@ -32,10 +32,18 @@ def test_formdata_multipart(buf: bytearray) -> None:
     assert form.is_multipart
 
 
-def test_invalid_formdata_payload() -> None:
+@pytest.mark.parametrize("obj", (object(), None))
+def test_invalid_formdata_payload_multipart(obj: object) -> None:
     form = FormData()
-    form.add_field("test", object(), filename="test.txt")
-    with pytest.raises(TypeError):
+    form.add_field("test", obj, filename="test.txt")
+    with pytest.raises(TypeError, match="Can not serialize value"):
+        form()
+
+
+@pytest.mark.parametrize("obj", (object(), None))
+def test_invalid_formdata_payload_urlencoded(obj: object) -> None:
+    form = FormData({"test": obj})
+    with pytest.raises(TypeError, match="expected str"):
         form()
 
 

diff --git a/tests/test_web_functional.py b/tests/test_web_functional.py
@@ -240,7 +240,7 @@ async def handler(request: web.Request) -> web.Response:
     app.router.add_post("/", handler)
     client = await aiohttp_client(app)
 
-    resp = await client.post("/", data={"a": 1, "b": 2, "c": ""})
+    resp = await client.post("/", data={"a": "1", "b": "2", "c": ""})
     assert 200 == resp.status
     txt = await resp.text()
     assert "OK" == txt
@@ -528,7 +528,7 @@ async def handler(request: web.Request) -> web.Response:
     app.router.add_post("/", handler)
     client = await aiohttp_client(app)
 
-    resp = await client.post("/", data=MultiDict([("a", 1), ("a", 2)]))
+    resp = await client.post("/", data=MultiDict([("a", "1"), ("a", "2")]))
     assert 200 == resp.status
 
     resp.release()