Summary
The manual .env file parser in parse_env_file() (config.py:351) uses .strip("\"'") to remove surrounding quotes from values. Python's str.strip() removes any character in the given set from both ends independently, rather than treating quotes as matched pairs. This corrupts values that contain quote characters of the opposite type.
Details
The problematic line:
env[key.strip()] = value.strip().strip("\"'")str.strip(chars) removes all leading and trailing characters that appear in chars, regardless of what was on the other end. For a value like:
The parser extracts 'he said "hello"', then .strip("\"'") removes the leading ', then sees the now-exposed trailing " (also in the strip set), and removes that too. The result is he said "hello - a corrupted value with a missing closing quote.
Other examples that break:
KEY="it's fine" - the inner ' gets eaten if it ends up at a boundaryKEY='value "with" quotes' - trailing " consumed after the outer ' is strippedKEY="she said 'hello'" - trailing ' consumed after outer " is stripped
The python-dotenv code path (used when that package is installed) handles this correctly by checking whether the first and last characters are a matching pair before stripping. The manual fallback parser does not.
Impact
Any .env value that uses one quote type to wrap a value containing the other quote type gets silently corrupted. The parser is the fallback path used when python-dotenv is not installed. Since python-dotenv is an optional dependency (the [dotenv] extra), users running without it hit the buggy parser.
The corruption is silent - no error, no warning. The wrong value just propagates into the config and causes hard-to-diagnose downstream behavior.
Severity
MEDIUM - from the code review document.
Summary
The manual
.envfile parser inparse_env_file()(config.py:351) uses.strip("\"'")to remove surrounding quotes from values. Python'sstr.strip()removes any character in the given set from both ends independently, rather than treating quotes as matched pairs. This corrupts values that contain quote characters of the opposite type.Details
The problematic line:
str.strip(chars)removes all leading and trailing characters that appear inchars, regardless of what was on the other end. For a value like:The parser extracts
'he said "hello"', then.strip("\"'")removes the leading', then sees the now-exposed trailing"(also in the strip set), and removes that too. The result ishe said "hello- a corrupted value with a missing closing quote.Other examples that break:
KEY="it's fine"- the inner'gets eaten if it ends up at a boundaryKEY='value "with" quotes'- trailing"consumed after the outer'is strippedKEY="she said 'hello'"- trailing'consumed after outer"is strippedThe
python-dotenvcode path (used when that package is installed) handles this correctly by checking whether the first and last characters are a matching pair before stripping. The manual fallback parser does not.Impact
Any
.envvalue that uses one quote type to wrap a value containing the other quote type gets silently corrupted. The parser is the fallback path used whenpython-dotenvis not installed. Sincepython-dotenvis an optional dependency (the[dotenv]extra), users running without it hit the buggy parser.The corruption is silent - no error, no warning. The wrong value just propagates into the config and causes hard-to-diagnose downstream behavior.
Severity
MEDIUM - from the code review document.