id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
27198	QueryDict getlist allows data to be mutated	Fraser Nevett	Jani Tiainen	"Calling `getlist()` on a `QueryDict` simply returns the underlying `list`, which means it can be mutated:

{{{
>>> q = QueryDict('a=1&a=2&a=3', mutable=False)
>>> a = q.getlist('a')
>>> a
[u'1', u'2', u'3']
>>> a.append(u'4')
>>> q.getlist('a')
[u'1', u'2', u'3', u'4']
>>> q
<QueryDict: {u'a': [u'1', u'2', u'3', u'4']}>
}}}

I encountered this unexpected behaviour in code using the following pattern:

{{{
values = request.POST.getlist('a')
values += request.POST.getlist('b')
values += request.POST.getlist('c')
}}}

This results in `request.POST` being updated so that ''a'' now also contains the values for ''b'' and ''c''.

Given `request.GET` and `request.POST` are created as '''immutable''' `QueryDict` objects, I would not expect this behaviour.

At present, `getlist` is inherited from `MultiValueDict`. I think the fix would be to add a `getlist` method to `QueryDict` that forces a new `list` to be created:

{{{
def setlist(self, key, default=None):
    return list(super(QueryDict, self).getlist(key, default))
}}}"	Bug	closed	HTTP handling	1.10	Normal	fixed			Accepted	1	0	0	0	0	0