Percent encoded forward slash is stil treated as a URL component delimiter #2507
Description
Expected Behavior
When a forward slash (/) is percent encoded, it should not be treated as a delimiter in a URL but instead should be treated as a string character.
from flask import Flask
app = Flask(__name__)
@app.route('/<string:foo>')
def index(foo):
return foo
app.run('localhost', 3000)$ curl localhost:3000/foo%2Fbar
foo/barActual Behavior
$ curl localhost:3000/foo%2Fbar
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>Environment
- Python version:
Python 3.5.3 - Flask version:
0.12.2 - Werkzeug version:
0.12.2
venv:
click==6.7
Flask==0.12.2
itsdangerous==0.24
Jinja2==2.9.6
MarkupSafe==1.0
Werkzeug==0.12.2
Use Case
A website has the URL rule /<string:company>/<string:user>. Company names and users would have to have the slash character disallowed otherwise they would not be able to be cleanly represented as a URL.
A Second Example
A second issue that I assume is directly related is that url_for doesn't escape the forward slash.
from flask import Flask, Markup, request, redirect, url_for
app = Flask(__name__)
@app.route('/', methods=('GET', 'POST'))
def index():
if request.method == 'POST':
return redirect(url_for('other', foo=request.form['foo'], bar=request.form['bar']))
else:
return Markup(
'''<form method="POST">
<input name="foo" type="text">
<input name="bar" type="text">
<input type="submit" value="Submit">
</form>
''')
@app.route('/other/<string:foo>/<string:bar>')
def other(foo, bar):
return '{}<br>{}'.format(foo, bar)
app.run('localhost', 3000)In the browser, submitting foo/moarfoo and bar into the two fields yields the URL /foo/moarfoo/bar instead of /foo%2Fmoarfoo/bar.