bottle icon indicating copy to clipboard operation
bottle copied to clipboard

"cgi" standard library module used by bottle is deprecated in Python 3.11, to be removed in 3.13

Open liyanage opened this issue 3 years ago • 29 comments

I'm running bottle with Python 3.11 for the first time and I see this deprecation warning:

/xxx/lib/bottle/bottle.py:72: DeprecationWarning: 'cgi' is deprecated and slated for removal in Python 3.13
  import base64, calendar, cgi, email.utils, functools, hmac, itertools,\

I guess bottle needs to stop using this module?

liyanage avatar Nov 07 '22 18:11 liyanage

That's unfortunate, bottle uses the form-data/multipart parser from that library. The PEP says:

FieldStorage/MiniFieldStorage has no direct replacement, but can typically be replaced by using multipart (for POST and PUT requests) or urllib.parse.parse_qsl (for GET and HEAD requests)

Great. I'm the author of multipart, so I'm okay with that, but copy&pasting all that into bottle (to maintain the zero-dependency design goal) feels wrong.

defnull avatar Nov 08 '22 09:11 defnull

Removing the multipart/form-data parser from Python standard library is unthinkable. I understand the cgi module was deprecated because CGI is itself deprecated, but the multipart encoding is not deprecated, it's still used today, hence I totally don't understand this..

zb3 avatar Jan 12 '23 14:01 zb3

PEP 594: Remove the cgi and cgitb modules, deprecated in Python 3.11.

cgi.FieldStorage can typically be replaced with urllib.parse.parse_qsl() for GET and HEAD requests, and the email.message module or multipart PyPI project for POST and PUT.

(per https://docs.python.org/3.13/whatsnew/3.13.html)

simsong avatar Aug 09 '23 19:08 simsong

Any news maybe on this? 3.13 is now getting closer with 3.12 being out in the meantime, albeit the release plan is around half of next year.

fedepell avatar Nov 03 '23 05:11 fedepell

The only viable solution is to copy&paste code from multipart into bottle. I really really do not want to do that, but I have no other idea how to maintain the single-file no-deps aspect any other way.

defnull avatar Nov 03 '23 08:11 defnull

The only viable solution is to copy&paste code from multipart into bottle. I really really do not want to do that, but I have no other idea how to maintain the single-file no-deps aspect any other way.

Thanks for the fast reply! I see your point and absolutely agree is not "nice", but if we don't want to have dependencies, then I guess it's really the only way to go ("soon" or as Python 3.13 start getting traction).

Would you mind when you have time in case create a branch (possibly also for 0.12.x ?) with this so we can start testing? (I'm looking at this in the scope of future Fedora 41 planning to use it)

fedepell avatar Nov 04 '23 05:11 fedepell

@defnull Hi can we using the email module in the standard library to avoid the copy / pasting?

aisk avatar Nov 28 '23 15:11 aisk

@defnull Since @aisk proposal does not work out (for large data as you underlined), what is your position on this issue ?

ilrico avatar Dec 10 '23 16:12 ilrico

If the only requirement is to handle multipart and nothing else, it should not be hard to write a parser that does just that. multipart is not complex.

simsong avatar Dec 10 '23 17:12 simsong

I wonder if the no-deps line should not be open to compromise, as it is theorical: we see with this issue we are always dependant anyway, as least from std lib.

ilrico avatar Dec 10 '23 17:12 ilrico

I'm also fine with copying the lines we from the cgi library into bottle.

simsong avatar Dec 10 '23 17:12 simsong

Here is the POC https://github.com/valq7711/bottle/tree/multipart

Features:

  • It parses body while writing request.body and produces a markup, which is stored in request.body.multipart_markup
  • files are not tmp-files, but BytesIOProxy file-like objects, which are proxied to corresponding parts of request.body (no extra copying from request.body to tmp-files that cgi does), so it is ~30% faster
  • nested multipart not supported
  • only CRLF delimiters allowed (RFC 7578), single LFs not supported
  • if there is an error while parsing, it is stored in request.body.multipart_markup.error and raised if only request.POST/forms/files touched, so if body has some exotic format, one can parse it using custom tools, without croaking of undesired errors (just do not touch request.POST/forms/files)

valq7711 avatar Dec 10 '23 23:12 valq7711

Looks good; are you going to commit a test as well?

simsong avatar Dec 11 '23 03:12 simsong

@simsong what do you mean? It passed the test https://github.com/valq7711/bottle/actions/runs/7160872053 Multipart test is in test_environ.py The problem is that it is breaking changes as cgi supports nested multiparts and allows LF-delimiters (instead of CRLF)

valq7711 avatar Dec 11 '23 06:12 valq7711

Ah. I didn’t see that.

On Mon, Dec 11, 2023 at 1:25 AM valq7711 @.***> wrote:

@simsong https://github.com/simsong what do you mean? It passed the test https://github.com/valq7711/bottle/actions/runs/7160872053 Multipart test is in test_environ.py The problem is that it is breaking changes as cgi supports nested multiparts and allows LF-delimiters (instead of CRLF)

— Reply to this email directly, view it on GitHub https://github.com/bottlepy/bottle/issues/1403#issuecomment-1849400028, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAMFHLGUEIPLDPCVBTOOFXLYI2RNRAVCNFSM6AAAAAARZPDW7WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBZGQYDAMBSHA . You are receiving this because you were mentioned.Message ID: @.***>

simsong avatar Dec 11 '23 11:12 simsong

hi folks, a gentle reminder that 3.13 in alpha 4 and cgi confirmed removed!

PEP 594 (Removing dead batteries from the standard library) scheduled removals of many deprecated modules: aifc, audioop, chunk, cgi, cgitb, crypt, imghdr, mailcap, msilib, nis, nntplib, ossaudiodev, pipes, sndhdr, spwd, sunau, telnetlib, uu, xdrlib, lib2to3.

ilrico avatar Feb 22 '24 17:02 ilrico

Just a ping as Python 3.13 is closer and closer...

fedepell avatar Jun 11 '24 03:06 fedepell

Python 3.13b2 has landed in Fedora Rawhide breaking bottle

opoplawski avatar Jun 14 '24 04:06 opoplawski