Flask: flask.request.args.get replacing '+' with space in url

Question

I am trying to use a flask server for an api that takes image urls through the http get parameters.

I am using this url example which is very long (on pastebin) and contain's many +'s in the url. I have the following route set up in my flask server

@webapp.route('/example', methods=['GET'])
def process_example(): 
    imageurl = flask.request.args.get('imageurl', '')
    url = StringIO.StringIO(urllib.urlopen(imageurl).read())
    ...

but the issue I get is

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/aly/anaconda/lib/python2.7/urllib.py", line 87, in urlopen
    return opener.open(url)
  File "/Users/aly/anaconda/lib/python2.7/urllib.py", line 208, in open
    return getattr(self, name)(url)
  File "/Users/aly/anaconda/lib/python2.7/urllib.py", line 597, in open_data
    data = base64.decodestring(data)
  File "/Users/aly/anaconda/lib/python2.7/base64.py", line 321, in decodestring
    return binascii.a2b_base64(s)
binascii.Error: Incorrect padding

Upon further inspection (i.e. printing the imageurl that flask gets) it would appear that the + characters are being replaced by literal spaces which seems to be screwing things up.

Is there an option for the flask.args.get function that can handle this?

Answer 1

You need to encode your query parameters correctly; in URL query paramater encoding, spaces are encoded to +, while + itself is encoded to %2B.

Flask cannot be told to treat specific data differently; you cannot reliably detect what data was correctly encoded and what wasn't. You could extract the parameters from query string manually, however, by using request.query_string.

The better approach is to escape your parameters correctly (in JavaScript, use encodeURIComponent(), for example). The + character is not the only problematic character in a Base64-encoded value; the format also uses / and =, both of which carry meaning in a URL, which is why there is a URL-safe variant.

In fact, it is probably the = character at the end of that data: URL that is missing, being the more direct cause of the Incorrect padding error message. If you added it back you'd next indeed have problems with all the + characters having been decoded to ' '.