guile-www-2.9 (www cgi) bad cgi:values when a name has no "="

[Alan Grover]

The (www cgi) module parses query-string/form-data parameters 
incorrectly, thus cgi:value, cgi-values, cgi:names, and cgi:form-data? 
will give incorrect results.

Module: www cgi
Version: 2.9

The low-level "split" function, separate-fields-discarding-char, 
discards a "key" if there is no value. Example: http://gnu.org?bob will 
have "bob" dropped, yielding no results for the values/names functions.

I believe this is a bug, as it is important in some cases to know that a 
"key" appears even if it has no value. Only a "href" seems likely to 
generate such a construct, as forms typically result in an empty value 
(and thus an appearance like: "bob=").

Further, the internal data structure (form-variables) is sometimes 
populated with bad alist entries such as (#f #f). E.g. 
http://gnu.org?val=1&noval2 will create such an entry.

The applicable RFC seems to be 1866:
section 8.2.1: "Fields with null values may be omitted" by user agents. 
Which implies that a null value is legal. Further, "the name [is] 
separated from the value by `='" would imply that the "=" is not 
optional. Thus, my example above may be strictly illegal. In fact, 
without a "=" or "&", the query-string (as form-data) is 
indistinguishable from an 'ISINDEX' query-string (see section 7.5).

However, many url-parsing implementations tolerate a missing "=". E.g. 
Perl's widely used cgi.pm.

I'm working on a suggested change to (www cgi) that corrects this bug 
and maintains the order of the form-data. It should be available within 
the next 2 days.

--
Alan Grover
address@hidden
+1.734.476.0969