Merge pull request #186 from consideRatio/fix-bug-by-minimal-quoting

Quote as little as needed for a valid proxied web request

Author: manics

.travis.yml

@@ -1,10 +1,14 @@
 language: python
 python:
 - 3.5
+- 3.6
+- 3.7
+- 3.8
 
-script:
+install:
   - pip3 install .
   - pip3 install pytest
+script:
   - JUPYTER_TOKEN=secret jupyter-notebook --config=./tests/resources/jupyter_server_config.py &
   - sleep 5
-  - pytest
+  - pytest -v

jupyter_server_proxy/handlers.py

@@ -141,7 +141,14 @@ def get_client_uri(self, protocol, host, port, proxied_path):
         else:
             client_path = proxied_path
 
-        client_path = quote(client_path)
+        # Quote spaces, åäö and such, but only enough to send a valid web
+        # request onwards. To do this, we mark the RFC 3986 specs' "reserved"
+        # and "un-reserved" characters as safe that won't need quoting. The
+        # un-reserved need to be marked safe to ensure the quote function behave
+        # the same in py36 as py37.
+        #
+        # ref: https://tools.ietf.org/html/rfc3986#section-2.2
+        client_path = quote(client_path, safe=":/?#[]@!$&'()*+,;=-._~")
 
         client_uri = '{protocol}://{host}:{port}{path}'.format(
             protocol=protocol,

tests/test_proxies.py

@@ -20,13 +20,28 @@ def request_get(port, path, token, host='localhost'):
     return h.getresponse()
 
 
-def test_server_proxy_url_encoding():
-    special_path = quote('Hellö Wörld 🎉你好世界@±¥')
+def test_server_proxy_minimal_proxy_path_encoding():
+    """Test that we don't encode anything more than we must to have a valid web
+    request."""
+    special_path = quote("Hello world 123 åäö 🎉你好世界±¥ :/[]@!$&'()*+,;=-._~", safe=":/?#[]@!$&'()*+,;=-._~")
+    # NOTE: we left out ?# as they would interact badly with our requests_get
+    # function's ability to pass the token query parameter.
     test_url = '/python-http/' + special_path
     r = request_get(PORT, test_url, TOKEN)
     assert r.code == 200
     s = r.read().decode('ascii')
-    assert s.startswith('GET /{}?token='.format(special_path))
+    assert 'GET /{}?token='.format(special_path) in s
+
+def test_server_proxy_minimal_proxy_path_encoding_complement():
+    """Test that we don't encode ?# as a complement to the other test."""
+    test_url = '/python-http/?token={}#test'.format(TOKEN)
+    h = HTTPConnection('localhost', PORT, 10)
+    r = request_get(PORT, test_url, TOKEN)
+    h.request('GET', test_url)
+    return h.getresponse()
+    assert r.code == 200
+    s = r.read().decode('ascii')
+    assert 'GET /{}?token='.format(test_url) in s
 
 
 def test_server_proxy_non_absolute():