X-IC-Redirect header: only escape path component

Whoops, previous attempt at fix ended up breaking anywhere that did a 302 redirect with a full url (which wiki pages do after editing).
5 years ago · 9fc84bf681
1 changed files with 6 additions and 2 deletions
--- a/tildes/tildes/views/api/web/exceptions.py
+++ b/tildes/tildes/views/api/web/exceptions.py
@ -4,7 +4,7 @@
 """Web API exception views."""

 from typing import Sequence
-from urllib.parse import quote
+from urllib.parse import quote, urlparse, urlunparse

 from marshmallow.exceptions import ValidationError
 from pyramid.httpexceptions import (
@ -107,4 +107,8 @@ def httpfound(request: Request) -> Response:
    302 into a 200 with that header so it works as a redirect for both standard requests
    as well as Intercooler ones.
    """
-    return Response(headers={"X-IC-Redirect": quote(request.exception.location)})
+    # need to url-escape only the path of the redirect destination
+    parsed = urlparse(request.exception.location)
+    parsed = parsed._replace(path=quote(parsed.path))
+
+    return Response(headers={"X-IC-Redirect": urlunparse(parsed)})