Code

Opened 5 years ago

Closed 3 years ago

#11903 closed Bug (invalid)

WSGIRequest.path not quoted properly

Reported by: ianb Owned by: fgallina
Component: HTTP handling Version: 1.1
Severity: Normal Keywords:
Cc: ianb@… Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

WSGIRequest.__init__ contains the code:

        self.path = '%s%s' % (script_name, path_info)

Both script_name and path_info are url-decoded. That is, if you request /Foo%20bar then PATH_INFO will be '/Foo bar' -- to get the accurate path you have to re-encode both values.

Attachments (2)

11903.diff (906 bytes) - added by krisneuharth 4 years ago.
Patch for #11903
bug11903.patch (1.7 KB) - added by fgallina 4 years ago.
patch with test for bug 11903

Download all attachments as: .zip

Change History (16)

comment:1 Changed 4 years ago by russellm

  • milestone set to 1.2
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 4 years ago by anonymous

  • Owner changed from nobody to anonymous
  • Status changed from new to assigned

comment:3 Changed 4 years ago by krisneuharth

  • Owner changed from anonymous to krisneuharth
  • Status changed from assigned to new

Changed 4 years ago by krisneuharth

Patch for #11903

comment:4 Changed 4 years ago by krisneuharth

  • Has patch set
  • Needs tests set

comment:5 Changed 4 years ago by russellm

  • Component changed from Uncategorized to HTTP handling

comment:6 Changed 4 years ago by jacob

  • Patch needs improvement set

Need a test for this.

comment:7 Changed 4 years ago by anonymous

  • Owner changed from krisneuharth to fgallina

Changed 4 years ago by fgallina

patch with test for bug 11903

comment:8 Changed 4 years ago by fgallina

  • Patch needs improvement unset

The proposed approach was not correct, urlencode works with a two-element tuples or a dictionary. urlquote should be used for it since script_name and path_info are strings.

The attached patch contains the correction for it and a test.

comment:9 Changed 4 years ago by SmileyChris

  • milestone 1.2 deleted
  • Triage Stage changed from Accepted to Design decision needed

It seems like this could introduce backwards compatible issues (even though from a quick look at the docs there's no specific mention of quoted/unquoted when referring to request.path.

Is there some standard which the proposal to quote request.path would follow? I couldn't find any reference in pep333.

This also creates a disparate situation between path and path_info. Applications may be using both, and to have one quoted and the other not seems odd. And since path_info is used by django's url resolution it may cause problems quoting that.

In any case, this isn't a regression and probably needs some discussion, so I'm bumping out of the already-late 1.2 phase.

comment:10 Changed 4 years ago by ianb

The quoting of PATH_INFO is specified in the CGI specification, which PEP 333 refers to. This is also true for mod_python (and Apache generally).

comment:11 Changed 3 years ago by baumer1122

  • Severity set to Normal
  • Type set to Bug

comment:12 Changed 3 years ago by anonymous

  • Needs tests unset

comment:12 Changed 3 years ago by anonymous

  • Needs tests unset

comment:13 Changed 3 years ago by aaugustin

  • Easy pickings unset
  • Resolution set to invalid
  • Status changed from new to closed
  • UI/UX unset

I believe the current behavior is correct. Django handles the encoding / decoding wherever necessary and provides unicode objects to the programmer.

request.path is unicode and has no reason to be url-encoded. (In the code quoted in the original report, path_info is unicode, which guarantees that self.path is unicode.)

This is a custom API of Django, which means we aren't bound by the WSGI or CGI spec there (while we are for request.META['PATH_INFO']).

To sum up, if I'm typing "www.mysite.com/foo bar/" in my browser, the browser will issue a request for "/foo%20bar/", but Django will convert that back to u"/foo bar/".

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.