From bb02cd701f332f3e2c02a8616a7bee3d0eb323ba Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Fri, 20 Mar 2015 15:28:53 -0400
Subject: [PATCH] Guard against messages containing % signs in web.HTTPError.

This occurs in cases like RequestHandler.get_argument which
build their own message string instead of passing a printf
string and args to HTTPError.

Fixes #1393.
---
 tornado/test/web_test.py | 6 ++++++
 tornado/web.py           | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/tornado/test/web_test.py b/tornado/test/web_test.py
index a52f16678..9c49ca7c0 100644
--- a/tornado/test/web_test.py
+++ b/tornado/test/web_test.py
@@ -397,6 +397,12 @@ class RequestEncodingTest(WebTestCase):
                               path_args=["a/b", "c/d"],
                               args={}))
 
+    def test_error(self):
+        # Percent signs (encoded as %25) should not mess up printf-style
+        # messages in logs
+        with ExpectLog(gen_log, ".*Invalid unicode"):
+            self.fetch("/group/?arg=%25%e9")
+
 
 class TypeCheckHandler(RequestHandler):
     def prepare(self):
diff --git a/tornado/web.py b/tornado/web.py
index 155da550d..4800afa10 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -2031,6 +2031,8 @@ class HTTPError(Exception):
         self.log_message = log_message
         self.args = args
         self.reason = kwargs.get('reason', None)
+        if log_message and not args:
+            self.log_message = log_message.replace('%', '%%')
 
     def __str__(self):
         message = "HTTP %d: %s" % (
-- 
2.47.2