Guard against messages containing % signs in web.HTTPError.

This occurs in cases like RequestHandler.get_argument which
build their own message string instead of passing a printf
string and args to HTTPError.

Fixes #1393.

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index a52f16678c514c9ec2215a2d8ad2146f2c6853ad..9c49ca7c026fc90c70f1f598dba6482725e9bdff 100644 (file)
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -397,6 +397,12 @@ class RequestEncodingTest(WebTestCase):
                               path_args=["a/b", "c/d"],
                               args={}))
 
+    def test_error(self):
+        # Percent signs (encoded as %25) should not mess up printf-style
+        # messages in logs
+        with ExpectLog(gen_log, ".*Invalid unicode"):
+            self.fetch("/group/?arg=%25%e9")
+
 
 class TypeCheckHandler(RequestHandler):
     def prepare(self):

diff --git a/tornado/web.py b/tornado/web.py
index 155da550d28913c1e974d3ca61408ffd0e257eb5..4800afa10c054ddc7e0f8e4112eee7ee4efdfec4 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2031,6 +2031,8 @@ class HTTPError(Exception):
         self.log_message = log_message
         self.args = args
         self.reason = kwargs.get('reason', None)
+        if log_message and not args:
+            self.log_message = log_message.replace('%', '%%')
 
     def __str__(self):
         message = "HTTP %d: %s" % (