Opened 9 years ago
Closed 9 years ago
#25572 closed Bug (duplicate)
APPEND_SLASH (and others) sometimes redirect to invalid URL by encoding the entire URI
Reported by: | Amine Haddad | Owned by: | nobody |
---|---|---|---|
Component: | Core (URLs) | Version: | 1.8 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
When APPEND_SLASH is True (default), the request for "/test/+123?foo=+123" redirects to "/test/%2B123/?foo=%2B123" instead of "/test/+123/?foo=%2B123".
Sources:
http://stackoverflow.com/a/332897 (the "+" should not be encoded in escape or encodeURI)
https://github.com/django/django/blob/master/django/http/request.py#L122
https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
https://www.ietf.org/rfc/rfc2396.txt "Likewise, a URI must be separated into its components before the escaped characters within those components can be safely decoded."
Sample urls.py line that redirects to the invalid "/test/%2B123/" when a slash is missing:
url(r'^test/(?P<foobar>\+[0-9]+)/$', 'test', name='test')
Solution: It should redirect to: /test/+123/?... instead of /test/%2B123/?...
I couldn't reproduce on master, and it was apparently fixed in [9128762f1608f9633005f16c95270058a50ada2b] (#19910).