Fixed #18456 -- Added path escaping to HttpRequest.get_full_path().

author: Unai Zalakain <unai@gisa-elkartea.org> 2014-10-31 17:43:34 +0200
committer: Tim Graham <timograham@gmail.com> 2014-11-03 07:59:19 -0500
commit: c548c8d0d1112d2c4bace2eebf73ede35300d842 (patch)
tree: a0d8e3089302139c6a24b6262d37ab2eb55fb4c8 /django/utils/encoding.py
parent: d3db878e4beff057400dd780c24f3601a5d31f95 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index 3abee09c52..39d548a9ce 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -226,6 +226,23 @@ def uri_to_iri(uri):
     return repercent_broken_unicode(iri).decode('utf-8')
 
 
+def escape_uri_path(path):
+    """
+    Escape the unsafe characters from the path portion of a Uniform Resource
+    Identifier (URI).
+    """
+    # These are the "reserved" and "unreserved" characters specified in
+    # sections 2.2 and 2.3 of RFC 2396:
+    #   reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","
+    #   unreserved  = alphanum | mark
+    #   mark        = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
+    # The list of safe characters here is constructed substracting ";", "=",
+    # and "?" according to section 3.3 of RFC 2396.
+    # The reason for not subtracting and escaping "/" is that we are escaping
+    # the entire path, not a path segment.
+    return quote(force_bytes(path), safe=b"/:@&+$,-_.!~*'()")
+
+
 def repercent_broken_unicode(path):
     """
     As per section 3.2 of RFC 3987, step three of converting a URI into an IRI,
author	Unai Zalakain <unai@gisa-elkartea.org>	2014-10-31 17:43:34 +0200
committer	Tim Graham <timograham@gmail.com>	2014-11-03 07:59:19 -0500
commit	c548c8d0d1112d2c4bace2eebf73ede35300d842 (patch)
tree	a0d8e3089302139c6a24b6262d37ab2eb55fb4c8 /django/utils/encoding.py
parent	d3db878e4beff057400dd780c24f3601a5d31f95 (diff)