Code

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#12445 closed (fixed)

iri_to_uri undesirably converts ~ to %7E

Reported by: jille@… Owned by: nobody
Component: HTTP handling Version: master
Severity: Keywords: iri_to_uri redirect tilde userdir
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

At the moment it is not possible to redirect to so-called user-dirs (e.g. http://host/~username/); because HttpResponseRedirect uses iri_to_uri, which does:

  return urllib.quote(smart_str(iri), safe='/#%[]=:;$&()+,!?*')

By adding ~ to the list of 'safe characters' my problem goes away.

My apologies if I ain't clear enough.

Attachments (2)

django-iri_to_uri.patch (468 bytes) - added by jille@… 4 years ago.
Proposed patch
12445.diff (1.2 KB) - added by gwilson 4 years ago.

Download all attachments as: .zip

Change History (9)

Changed 4 years ago by jille@…

Proposed patch

comment:1 Changed 4 years ago by ubernostrum

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Per RFC 3986, /~username/ and /%7Eusername/ are equivalent, and two otherwise-equivalent URIs which differ only in whether they encode the tilde identify the same resource. Additionally, RFC 1738 declares the tilde "unsafe" and states that it must always be encoded within a URL. Thus, as far as I can tell, iri_to_uri is behaving correctly.

comment:2 Changed 4 years ago by jille@…

Section 2.3 of RFC 3986 states:

  URIs that differ in the replacement of an unreserved character with
   its corresponding percent-encoded US-ASCII octet are equivalent: they
   identify the same resource. 

and

  For consistency, percent-encoded octets in the ranges of ALPHA
   (%41-%5A and %61-%7A), DIGIT (%30-%39), hyphen (%2D), period (%2E),
   underscore (%5F), or tilde (%7E) should not be created by URI
   producers

So, Django should not do it; however lighttpd (in my case) should accept it.
I'll file this as an lighttpd bug.

comment:4 Changed 4 years ago by lukeplant

  • Resolution invalid deleted
  • Status changed from closed to reopened

RFC 3986 obsoletes 1738, so we have to go with 3986 here, especially as it specifically addresses the issue of tilde, noting (in section 2.4) that older implementations might produce %7E, and says that URI producers should not be producing %7E (section 2.3), as jille@… noted above. So I'm re-opening.

Changed 4 years ago by gwilson

comment:6 Changed 4 years ago by gwilson

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [12066]) Fixed #12445 -- Added ' (single quote), @ (at sign), and ~ (tilde) to safe characters in iri_to_uri function.

comment:7 Changed 4 years ago by gwilson

(In [12067]) [1.1.X] Fixed #12445 -- Added ' (single quote), @ (at sign), and ~ (tilde) to safe characters in iri_to_uri function.

Backport of r12066 from trunk.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.