fix: correct ; operator matching and expansion per RFC 6570

Three fixes to the path-style parameter operator:

Non-explode {;id}: the regex used =? (optional equals), which let
{;id} match ;identity=john by consuming 'id' as a prefix. Added a
lookahead asserting the name ends at = or a delimiter.

Explode {;keys*} matching: captured segments included the name=
prefix (returning ['keys=a', 'keys=b'] instead of ['a', 'b']) and
did not validate the parameter name (so ;admin=true matched). Now
strips the prefix and rejects wrong names in post-processing.

Explode {;keys*} expansion: emitted name= for empty items. RFC
3.2.7's ifemp rule says ; omits the = for empty values, so
['a', '', 'b'] now expands to ;keys=a;keys;keys=b.

All three are covered by new round-trip tests including the
empty-item edge case.

Author: maxisbey

src/mcp/shared/uri_template.py

@@ -185,7 +185,12 @@ def _expand_expression(expr: _Expression, variables: Mapping[str, str | Sequence
             if var.explode:
                 # Each item gets the operator's separator; named ops repeat the key.
                 if spec.named:
-                    rendered.append(spec.separator.join(f"{var.name}={v}" for v in items))
+                    # RFC §3.2.7 ifemp: ; omits the = for empty values.
+                    rendered.append(
+                        spec.separator.join(
+                            var.name if (v == "" and expr.operator == ";") else f"{var.name}={v}" for v in items
+                        )
+                    )
                 else:
                     rendered.append(spec.separator.join(items))
             else:
@@ -394,14 +399,26 @@ def match(self, uri: str, *, max_uri_length: int = DEFAULT_MAX_URI_LENGTH) -> di
 
             if var.explode:
                 # Explode capture holds the whole run including separators,
-                # e.g. "/a/b/c". Split, decode each segment, check each.
+                # e.g. "/a/b/c" or ";keys=a;keys=b". Split, decode each
+                # segment, check each.
                 if not raw:
                     result[var.name] = []
                     continue
                 segments: list[str] = []
+                prefix = f"{var.name}="
                 for seg in raw.split(spec.separator):
                     if not seg:  # leading separator produces an empty first item
                         continue
+                    if spec.named:
+                        # Named explode emits name=value per item (or bare
+                        # name for ; with empty value). Validate the name
+                        # and strip the prefix before decoding.
+                        if seg.startswith(prefix):
+                            seg = seg[len(prefix) :]
+                        elif seg == var.name:
+                            seg = ""
+                        else:
+                            return None
                     decoded = unquote(seg)
                     if any(c in decoded for c in forbidden):
                         return None
@@ -464,9 +481,15 @@ def _expression_pattern(expr: _Expression) -> str:
             # Non-greedy so a trailing literal can terminate the run.
             pieces.append(f"((?:{sep}{body})*?)")
         elif spec.named:
-            # ;name=val or ?name=val — the = is optional for ; with empty value
-            eq = "=?" if expr.operator == ";" else "="
-            pieces.append(f"{lead}{re.escape(var.name)}{eq}({body})")
+            name = re.escape(var.name)
+            if expr.operator == ";":
+                # RFC ifemp: ; emits bare name for empty values, so = is
+                # optional. The lookahead asserts the name ends at = or a
+                # delimiter, preventing {;id} from matching ;identity.
+                pieces.append(f"{lead}{name}(?==|[;/?#]|$)=?({body})")
+            else:
+                # ? and & always emit name=, even for empty values.
+                pieces.append(f"{lead}{name}=({body})")
         else:
             pieces.append(f"{lead}({body})")
 

tests/shared/test_uri_template.py

@@ -280,6 +280,8 @@ def test_frozen():
         ("{/path*}", {"path": ["a", "b", "c"]}, "/a/b/c"),
         ("{.labels*}", {"labels": ["x", "y"]}, ".x.y"),
         ("{;keys*}", {"keys": ["a", "b"]}, ";keys=a;keys=b"),
+        # RFC §3.2.7 ifemp: ; omits = for empty explode items
+        ("{;keys*}", {"keys": ["a", "", "b"]}, ";keys=a;keys;keys=b"),
         # Undefined variables omitted
         ("{?q,page}", {"q": "x"}, "?q=x"),
         ("{a}{b}", {"a": "x"}, "x"),
@@ -333,6 +335,10 @@ def test_expand_rejects_invalid_value_types(value: object):
         # Level 3: path-style param
         ("item{;id}", "item;id=42", {"id": "42"}),
         ("item{;id}", "item;id", {"id": ""}),
+        # Explode: ; emits name=value per item, match strips the prefix
+        ("item{;keys*}", "item;keys=a;keys=b", {"keys": ["a", "b"]}),
+        ("item{;keys*}", "item;keys=a;keys;keys=b", {"keys": ["a", "", "b"]}),
+        ("item{;keys*}", "item", {"keys": []}),
         # Level 3: query
         ("search{?q}", "search?q=hello", {"q": "hello"}),
         ("search{?q}", "search?q=", {"q": ""}),
@@ -367,6 +373,12 @@ def test_match(template: str, uri: str, expected: dict[str, str | list[str]]):
         ("/users/{id}/posts/{pid}", "/users/1/posts/2/extra"),
         # Repeated-slash literal with wrong slash count
         ("///{a}////{b}////", "//x////y////"),
+        # ; name boundary: {;id} must not match a longer parameter name
+        ("item{;id}", "item;identity=john"),
+        ("item{;id}", "item;ident"),
+        # ; explode: wrong parameter name in any segment rejects the match
+        ("item{;keys*}", "item;admin=true"),
+        ("item{;keys*}", "item;keys=a;admin=true"),
     ],
 )
 def test_match_no_match(template: str, uri: str):
@@ -482,6 +494,10 @@ def test_match_structural_integrity_per_explode_segment():
         ("file{.ext}", {"ext": "txt"}),
         ("/files{/path*}", {"path": ["a", "b", "c"]}),
         ("{var}", {"var": "hello world"}),
+        ("item{;id}", {"id": "42"}),
+        ("item{;id}", {"id": ""}),
+        ("item{;keys*}", {"keys": ["a", "b", "c"]}),
+        ("item{;keys*}", {"keys": ["a", "", "b"]}),
     ],
 )
 def test_roundtrip_expand_then_match(template: str, variables: dict[str, str | list[str]]):