Re: [Django] #18456: HttpRequest.get_full_path does not escape # sign in the url

[Django]

#18456: HttpRequest.get_full_path does not escape # sign in the url
-------------------------------------+-------------------------------------
     Reporter:  vlad.shcherbina@…    |                    Owner:
         Type:  Bug                  |  unaizalakain
    Component:  HTTP handling        |                   Status:  assigned
     Severity:  Normal               |                  Version:  master
     Keywords:                       |               Resolution:
    Has patch:  0                    |             Triage Stage:  Accepted
  Needs tests:  0                    |      Needs documentation:  0
Easy pickings:  0                    |  Patch needs improvement:  0
                                     |                    UI/UX:  0
-------------------------------------+-------------------------------------
Changes (by unaizalakain):

 * owner:  nobody => unaizalakain
 * status:  new => assigned


Comment:

 According to https://www.ietf.org/rfc/rfc2396.txt

 {{{
    The path may consist of a sequence of path segments separated by a
    single slash "/" character.  Within a path segment, the characters
    "/", ";", "=", and "?" are reserved.  Each path segment may include a
    sequence of parameters, indicated by the semicolon ";" character.
    The parameters are not significant to the parsing of relative
    references.
 }}}

 I would escape all "/", ";", "=" and "?" characters. The fragment isn't
 even contemplated because it's not strictly part of the URI:

 {{{
    When a URI reference is used to perform a retrieval action on the
    identified resource, the optional fragment identifier, separated from
    the URI by a crosshatch ("#") character, consists of additional
    reference information to be interpreted by the user agent after the
    retrieval action has been successfully completed.  As such, it is not
    part of a URI, but is often used in conjunction with a URI.
 }}}

 Personally, I consider the possible logging clarity problems less
 important than the problems arising from `HttpRequest.get_full_path()` bad
 behavior. If needed, logging could use some other function to print out
 the URI.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/18456#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/083.613b5ef59769a90848cfa14d01ece311%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.