I have a simple TurboGears 2 script, named app.py:
#!/usr/bin/env python3
from wsgiref.simple_server import make_server
from tg import expose, TGController, AppConfig
class RootController(TGController):
@expose()
def lookup(self, name):
return name
config = AppConfig(minimal=True, root_controller=RootController())
print("Serving on port 5000...")
httpd = make_server('', 5000, config.make_wsgi_app())
httpd.serve_forever()
When I run app.py and visit http://localhost:5000/lookup/dave, I see "dave" as expected. But when I visit http://localhost:5000/lookup/dave%2Fdavid, I get a 404 error instead of "dave/david". It seems that TurboGears is splitting 'dave%2Fdavid' into two separate arguments.
How can I get TurboGears to respect that an escaped slash is different from an unescaped slash?
It's not possible to distinguish / from %2F in standard WSGI applications. There was a long argument about this in 2008, but the WSGI spec authors decided that compatibility with CGI--which does not distinguish between the two either--was more important than letting the programmer decide how to interpret a %2F.
In the end I decided to convert / to %252F when building paths, and then run replace('%2F', '/') on every variable I get from the path. This is not a very elegant solution, but unless the WSGI authors have a change of heart I don't see a better option.