[Django] #31858: space outside of parameters are not allowed in path() routes
Django
-------------------------------------------+------------------------
Reporter: kmichel-sereema | Owner: nobody
Type: Bug | Status: new
Component: Core (URLs) | Version: 3.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
To avoid ambiguities in parameter names, space were forbidden from path
routes in #29667 .
However, the fix in https://github.com/django/django/pull/11688 forbids
space anywhere,
including outside of <> parameters.
Urls with spaces are weird and subject to url encoding in the browser bar,
but they appear
occasionally, I hit the bug with a real url after migrating to 3.1.
re_path allows matching those urls as a workaround but it's weird to have
to use re just
because of a space in an otherwise simple route.
If the bug is deemed valid, I can work on a patch to only forbid spaces
between < and > parts.
--
Ticket URL: <https://code.djangoproject.com/ticket/31858>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Kevin Michel | Owner: nobody
Type: Bug | Status: closed
Component: Core (URLs) | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: new => closed
* resolution: => wontfix
Comment:
Hi Kevin. Thanks for the report, but I don't think we should support this.
[https://www.ietf.org/rfc/rfc1738.txt RFC 1738] is pretty clear on this:
> The space character is unsafe ....
and:
> ...All unsafe characters must always be encoded within a URL.
(Search for the "unsafe" section header.)
I think "If you want to do this nonetheless then use `re_path`" is more
than reasonable.
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:1>
Django
Reporter: Kevin Michel | Owner: nobody
Type: Bug | Status: closed
Component: Core (URLs) | Version: 3.1
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Kevin Michel):
Hi,
I agree that spaces in URLs are unsafe, and we should urlencode them
when transmitting or writing URLs, like the browser does automatically.
However, URLs are urldecoded before reaching the router (which is the
right thing to do as far as I understand it), the router matches a decoded
path, which is not really an URL anymore.
In the WSGI case, the url decoding is done when filling
`environ['PATH_INFO']`,
for instance here:
https://github.com/python/cpython/blob/master/Lib/wsgiref/simple_server.py#L85
Because of that, it's not possible to try to match the safe "%20" in a
route
as if it was an URL.
I think spaces in URLs are indeed unsafe and invalid but spaces in the
path for the router are safe and should be allowed.
Not being able to match all valid paths with a route is a possibility but
it's
a bit surprising.
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:2>
Django
Reporter: Kevin Michel | Owner: nobody
Type: Bug | Status: new
Component: Core (URLs) | Version: 3.1
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* status: closed => new
* resolution: wontfix =>
* stage: Unreviewed => Accepted
Comment:
Yes, you're right. The [https://tools.ietf.org/html/draft-coar-
cgi-v11-03#section-4.1.5 CGI spec has]:
> Unlike a URI path, the PATH_INFO is not URL-encoded
Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:3>
Django
Reporter: Kevin Michel | Owner: Tim Park
Type: Bug | Status: assigned
Component: Core (URLs) | Version: 3.1
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Park):
* owner: nobody => Tim Park
* status: new => assigned
* has_patch: 0 => 1
Comment:
Hey guys, PR opened here: https://github.com/django/django/pull/13364
Let me know your thoughts!
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:4>
Django
Reporter: Kevin Michel | Owner: Tim Park
Type: Bug | Status: assigned
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:5>
Django
Reporter: Kevin Michel | Owner: Tim Park
Component: Core (URLs) | Version: 3.1
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"ece18207cbb64dd89014e279ac636a6c9829828e" ece1820]:
{{{
#!CommitTicketReference repository=""
revision="ece18207cbb64dd89014e279ac636a6c9829828e"
Fixed #31858 -- Reallowed whitespaces in URL paths outside of parameters.
Regression in 22394bd3a18a7d9a8957a0b431f8ae4e5ca03a8c.
Thanks David Smith for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/31858#comment:6>