#32050: reverse() and request.get_full_path() escape URL paths differently
-------------------------------------+-------------------------------------
Reporter: Jack | Owner: nobody
Cushman |
Type: Bug | Status: new
Component: Core | Version: master
(URLs) | Keywords: reverse,
Severity: Normal | get_full_path, escape
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
`reverse()` and `request.get_full_path()` apply different escaping rules
to the path section of URLs. `reverse()` applies `iri_to_uri` and escapes
everything except `/#%[]=:;$&()+,!?*@'~`, while `get_full_path` applies
`escape_uri_path` and escapes everything except `/:@&+$,-_.!~*'()`. (In
other words, get_full_path() escapes some characters like semicolon that
reverse() does not.) I'm not sure which rules are correct, but it seems
like the two should escape URL paths the same way. In particular, maybe
reverse() ought to apply escape_uri_path to its path section?
Here's a one-file app that demonstrates the mismatch. Visiting
localhost:8000/1/wrongtitle will successfully redirect to the correct
title, but visiting localhost:8000/2/wrongtitle will start an infinite
loop printing `/2/Some%20semicolon;.pdf does not match
/2/Some%20semicolon%3B.pdf!` because the title contains a semicolon, which
is escaped by get_full_path() but not by reverse().
(I realize there are other ways to implement this demo program, but it
highlights the underlying issue that the paths produced by the two
functions should be escaped the same way, whichever way is correct.)
{{{
import sys
from django.conf import settings
from django.core.management import execute_from_command_line
from django.core.wsgi import get_wsgi_application
from django.http import HttpResponse, HttpResponseRedirect
from django.urls import path, reverse
settings.configure(ALLOWED_HOSTS=["*"], ROOT_URLCONF=__name__,
SECRET_KEY="foo", DEBUG=True)
files = {1: 'Some title.pdf', 2: 'Some semicolon;.pdf'}
def deliver_file(request, file_id, title):
correct_title = files[file_id]
correct_url = reverse('deliver_file', args=[file_id, correct_title])
if correct_url != request.get_full_path():
print(f"{correct_url} does not match {request.get_full_path()}!")
return HttpResponseRedirect(correct_url)
return HttpResponse(correct_title)
urlpatterns = [
path("<int:file_id>/<str:title>", deliver_file, name='deliver_file'),
]
app = get_wsgi_application()
execute_from_command_line(sys.argv)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32050>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/051.1ef27591cedc8158566a6d5491a52778%40djangoproject.com.
