gh-104773: PEP 594: Remove cgi and cgitb modules

Doc/library/security_warnings.rst

@@ -9,7 +9,6 @@ The following modules have specific security considerations:
 
 * :mod:`base64`: :ref:`base64 security considerations <base64-security>` in
   :rfc:`4648`
-* :mod:`cgi`: :ref:`CGI security considerations <cgi-security>`
 * :mod:`hashlib`: :ref:`all constructors take a "usedforsecurity" keyword-only
   argument disabling known insecure and blocked algorithms
   <hashlib-usedforsecurity>`

Doc/library/superseded.rst

@@ -12,8 +12,6 @@ backwards compatibility. They have been superseded by other modules.
 
    aifc.rst
    audioop.rst
-   cgi.rst
-   cgitb.rst
    chunk.rst
    crypt.rst
    imghdr.rst

Doc/whatsnew/2.0.rst

@@ -1030,7 +1030,7 @@ Module changes
 
 Lots of improvements and bugfixes were made to Python's extensive standard
 library; some of the affected modules include :mod:`readline`,
-:mod:`ConfigParser`, :mod:`cgi`, :mod:`calendar`, :mod:`posix`, :mod:`readline`,
+:mod:`ConfigParser`, :mod:`!cgi`, :mod:`calendar`, :mod:`posix`, :mod:`readline`,
 :mod:`xmllib`, :mod:`aifc`, :mod:`chunk, wave`, :mod:`random`, :mod:`shelve`,
 and :mod:`nntplib`.  Consult the CVS logs for the exact patch-by-patch details.
 

Doc/whatsnew/2.6.rst

@@ -1805,15 +1805,15 @@ changes, or look through the Subversion logs for all the details.
   available, instead of restricting itself to protocol 1.
   (Contributed by W. Barnes.)
 
-* The :mod:`cgi` module will now read variables from the query string
+* The :mod:`!cgi` module will now read variables from the query string
   of an HTTP POST request.  This makes it possible to use form actions
   with URLs that include query strings such as
   "/cgi-bin/add.py?category=1".  (Contributed by Alexandre Fiori and
   Nubis; :issue:`1817`.)
 
   The :func:`parse_qs` and :func:`parse_qsl` functions have been
-  relocated from the :mod:`cgi` module to the :mod:`urlparse` module.
-  The versions still available in the :mod:`cgi` module will
+  relocated from the :mod:`!cgi` module to the :mod:`urlparse` module.
+  The versions still available in the :mod:`!cgi` module will
   trigger :exc:`PendingDeprecationWarning` messages in 2.6
   (:issue:`600362`).
 

Doc/whatsnew/3.10.rst

@@ -1508,7 +1508,7 @@ query parameter separators in :func:`urllib.parse.parse_qs` and
 :func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
 newer W3C recommendations, this has been changed to allow only a single
 separator key, with ``&`` as the default.  This change also affects
-:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+:func:`!cgi.parse` and :func:`!cgi.parse_multipart` as they use the affected
 functions internally.  For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Doc/whatsnew/3.11.rst

@@ -1735,9 +1735,9 @@ Modules
   +---------------------+---------------------+---------------------+---------------------+---------------------+
   | :mod:`audioop`      | :mod:`crypt`        | :mod:`nis`          | :mod:`sndhdr`       | :mod:`uu`           |
   +---------------------+---------------------+---------------------+---------------------+---------------------+
-  | :mod:`cgi`          | :mod:`imghdr`       | :mod:`nntplib`      | :mod:`spwd`         | :mod:`xdrlib`       |
+  | :mod:`!cgi`         | :mod:`imghdr`       | :mod:`nntplib`      | :mod:`spwd`         | :mod:`xdrlib`       |
   +---------------------+---------------------+---------------------+---------------------+---------------------+
-  | :mod:`cgitb`        | :mod:`mailcap`      | :mod:`ossaudiodev`  | :mod:`sunau`        |                     |
+  | :mod:`!cgitb`       | :mod:`mailcap`      | :mod:`ossaudiodev`  | :mod:`sunau`        |                     |
   +---------------------+---------------------+---------------------+---------------------+---------------------+
 
   (Contributed by Brett Cannon in :issue:`47061` and Victor Stinner in

Doc/whatsnew/3.12.rst

@@ -805,8 +805,8 @@ Modules (see :pep:`594`):
 
 * :mod:`aifc`
 * :mod:`audioop`
-* :mod:`cgi`
-* :mod:`cgitb`
+* :mod:`!cgi`
+* :mod:`!cgitb`
 * :mod:`chunk`
 * :mod:`crypt`
 * :mod:`imghdr`

Doc/whatsnew/3.13.rst

@@ -118,6 +118,36 @@ Removed
 * Remove support for using :class:`pathlib.Path` objects as context managers.
   This functionality was deprecated and made a no-op in Python 3.9.
 
+* :pep:`594`: Remove the :mod:`!cgi`` and :mod:`!cgitb` modules,
+  deprecated in Python 3.11.
+
+  * ``cgi.FieldStorage`` can typically be replaced with
+    :func:`urllib.parse.parse_qsl` for ``GET`` and ``HEAD`` requests, and the
+    :mod:`email.message` module or `multipart
+    <https://pypi.org/project/multipart/>`__ PyPI project for ``POST`` and
+    ``PUT``.
+
+  * ``cgi.parse()`` can be replaced by calling :func:`urllib.parse.parse_qs`
+    directly on the desired query string, except for ``multipart/form-data``
+    input, which can be handled as described for ``cgi.parse_multipart()``.
+
+  * ``cgi.parse_multipart()`` can be replaced with the functionality in the
+    :mod:`email` package (e.g. :class:`email.message.EmailMessage` and
+    :class:`email.message.Message`) which implements the same MIME RFCs, or
+    with the `multipart <https://pypi.org/project/multipart/>`__ PyPI project.
+
+  * ``cgi.parse_header()`` can be replaced with the functionality in the
+    :mod:`email` package, which implements the same MIME RFCs. For example,
+    with :class:`email.message.EmailMessage`::
+
+        from email.message import EmailMessage
+        msg = EmailMessage()
+        msg['content-type'] = 'application/json; charset="utf8"'
+        main, params = msg.get_content_type(), msg['content-type'].params
+
+  (Contributed by Victor Stinner in :gh:`104773`.)
+
+
 Porting to Python 3.13
 ======================
 

Doc/whatsnew/3.4.rst

@@ -2371,11 +2371,11 @@ Changes in the Python API
   3.3.3.
 
 * The :attr:`~cgi.FieldStorage.file` attribute is now automatically closed when
-  the creating :class:`cgi.FieldStorage` instance is garbage collected. If you
-  were pulling the file object out separately from the :class:`cgi.FieldStorage`
+  the creating :class:`!cgi.FieldStorage` instance is garbage collected. If you
+  were pulling the file object out separately from the :class:`!cgi.FieldStorage`
   instance and not keeping the instance alive, then you should either store the
-  entire :class:`cgi.FieldStorage` instance or read the contents of the file
-  before the :class:`cgi.FieldStorage` instance is garbage collected.
+  entire :class:`!cgi.FieldStorage` instance or read the contents of the file
+  before the :class:`!cgi.FieldStorage` instance is garbage collected.
 
 * Calling ``read`` or ``write`` on a closed SSL socket now raises an
   informative :exc:`ValueError` rather than the previous more mysterious

Doc/whatsnew/3.6.rst

@@ -2185,7 +2185,7 @@ Changes in the Python API
 
 * The following modules have had missing APIs added to their :attr:`__all__`
   attributes to match the documented APIs:
-  :mod:`calendar`, :mod:`cgi`, :mod:`csv`,
+  :mod:`calendar`, :mod:`!cgi`, :mod:`csv`,
   :mod:`~xml.etree.ElementTree`, :mod:`enum`,
   :mod:`fileinput`, :mod:`ftplib`, :mod:`logging`, :mod:`mailbox`,
   :mod:`mimetypes`, :mod:`optparse`, :mod:`plistlib`, :mod:`smtpd`,
@@ -2455,7 +2455,7 @@ query parameter separators in :func:`urllib.parse.parse_qs` and
 :func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
 newer W3C recommendations, this has been changed to allow only a single
 separator key, with ``&`` as the default.  This change also affects
-:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+:func:`!cgi.parse` and :func:`!cgi.parse_multipart` as they use the affected
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Doc/whatsnew/3.7.rst

@@ -2567,7 +2567,7 @@ query parameter separators in :func:`urllib.parse.parse_qs` and
 :func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
 newer W3C recommendations, this has been changed to allow only a single
 separator key, with ``&`` as the default.  This change also affects
-:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+:func:`!cgi.parse` and :func:`!cgi.parse_multipart` as they use the affected
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Doc/whatsnew/3.8.rst

@@ -1774,7 +1774,7 @@ The following features and APIs have been removed from Python 3.8:
   to help eliminate confusion as to what Python interpreter the ``pyvenv``
   script is tied to. (Contributed by Brett Cannon in :issue:`25427`.)
 
-* ``parse_qs``, ``parse_qsl``, and ``escape`` are removed from the :mod:`cgi`
+* ``parse_qs``, ``parse_qsl``, and ``escape`` are removed from the :mod:`!cgi`
   module.  They are deprecated in Python 3.2 or older. They should be imported
   from the ``urllib.parse`` and ``html`` modules instead.
 
@@ -2251,7 +2251,7 @@ query parameter separators in :func:`urllib.parse.parse_qs` and
 :func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
 newer W3C recommendations, this has been changed to allow only a single
 separator key, with ``&`` as the default.  This change also affects
-:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+:func:`!cgi.parse` and :func:`!cgi.parse_multipart` as they use the affected
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Doc/whatsnew/3.9.rst

@@ -1559,7 +1559,7 @@ query parameter separators in :func:`urllib.parse.parse_qs` and
 :func:`urllib.parse.parse_qsl`.  Due to security concerns, and to conform with
 newer W3C recommendations, this has been changed to allow only a single
 separator key, with ``&`` as the default.  This change also affects
-:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected
+:func:`!cgi.parse` and :func:`!cgi.parse_multipart` as they use the affected
 functions internally. For more details, please see their respective
 documentation.
 (Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)