From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 20 Mar 2015 19:28:53 +0000 (-0400)
Subject: Guard against messages containing % signs in web.HTTPError.
X-Git-Tag: v4.2.0b1~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb02cd701f332f3e2c02a8616a7bee3d0eb323ba;p=thirdparty%2Ftornado.git

Guard against messages containing % signs in web.HTTPError.

This occurs in cases like RequestHandler.get_argument which
build their own message string instead of passing a printf
string and args to HTTPError.

Fixes #1393.
---

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index a52f16678..9c49ca7c0 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -397,6 +397,12 @@ class RequestEncodingTest(WebTestCase):
                               path_args=["a/b", "c/d"],
                               args={}))
 
+    def test_error(self):
+        # Percent signs (encoded as %25) should not mess up printf-style
+        # messages in logs
+        with ExpectLog(gen_log, ".*Invalid unicode"):
+            self.fetch("/group/?arg=%25%e9")
+
 
 class TypeCheckHandler(RequestHandler):
     def prepare(self):
diff --git a/tornado/web.py b/tornado/web.py
index 155da550d..4800afa10 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2031,6 +2031,8 @@ class HTTPError(Exception):
         self.log_message = log_message
         self.args = args
         self.reason = kwargs.get('reason', None)
+        if log_message and not args:
+            self.log_message = log_message.replace('%', '%%')
 
     def __str__(self):
         message = "HTTP %d: %s" % (