id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
6621	build_absolute_uri in HttpRequest breaks with colon in URL path	Greg Thornton <xdissent@…>	nobody	"It appears that HttpRequest from django.http has a bug that allows it to return a ''relative'' URL when the path component of the current URL (or the location argument) contains a colon. The show_url view below demonstrates the issue:

{{{
from django.http import HttpResponse
from urlparse import urljoin
import re

http_re = re.compile('^https?:')

def get_absolute_uri(request):
    location = request.get_full_path()
    if not http_re.match(location): 
        current_uri = '%s://%s%s' % (request.is_secure() and 'https' or 'http', request.get_host(), request.path)
        location = urljoin(current_uri, location)
    return location

def show_url(request):
    response = """"""
        Absolute URI: %s<br />
        Expected: %s<br />
    """""" % (request.build_absolute_uri(), get_absolute_uri(request))
    return HttpResponse(response)
}}}

Output correct without colon (requested http://xdissent.com/show_url/testing123):
{{{
Absolute URI: http://xdissent.com/show_url/testing123
Expected: http://xdissent.com/show_url/testing123
}}}

but broken when a colon is found in the URL path (requested http://xdissent.com/show_url/testing:123):
{{{
Absolute URI: /show_url/testing:123
Expected: http://xdissent.com/show_url/testing:123
}}}

My function get_absolute_url is essentially copied from HttpRequest's build_absolute_uri, but uses a small regex to determine whether or not a path is relative whereas build_absolute_uri simply checks for the presence of a colon. Upon first glance, it appears that this is correct behaviour according to the URL spec because really any colons in the path portion of a URL should be URL encoded as %3A so build_absolute_uri wouldn't find a colon when used properly. However, Django automatically decodes encoded URL characters so even when using %3A for colons, build_absolute_uri still thinks the path is absolute when it is not. For example:

Still broken even when using encoded colons in the path (requested http://xdissent.com/show_url/testing%3A123):
{{{
Absolute URI: /show_url/testing:123
Expected: http://xdissent.com/show_url/testing:123
}}}"	Uncategorized	closed	HTTP handling	dev	Normal	fixed	http url colon		Accepted	1	0	0	0	0	0