- Ensure a redirect path does not get URL-encoded twice

CHANGES.rst

@@ -14,6 +14,8 @@ https://github.com/zopefoundation/Zope/blob/4.0a6/CHANGES.rst
 Fixes
 +++++
 
+- Ensure a redirect path does not get URL-encoded twice
+
 - Prevent inability to log into the ZMI due to failing exception views
 
 - Hardeded ``RESPONSE.redirect`` to deal with any unencoded or encoded input

src/ZPublisher/HTTPResponse.py

@@ -27,6 +27,7 @@
 from six import reraise
 from six import text_type
 from six.moves.urllib.parse import quote
+from six.moves.urllib.parse import unquote
 from six.moves.urllib.parse import urlparse
 from six.moves.urllib.parse import urlunparse
 
@@ -216,7 +217,7 @@ def redirect(self, location, status=302, lock=0):
         # characters in the path part are quoted correctly. This is required
         # as we now allow non-ASCII IDs
         parsed = list(urlparse(location))
-        parsed[2] = quote(parsed[2])
+        parsed[2] = quote(unquote(parsed[2]))
         location = urlunparse(parsed)
 
         self.setStatus(status, lock=lock)

src/ZPublisher/tests/testHTTPResponse.py

@@ -783,6 +783,14 @@ def test_redirect_nonascii(self):
         self.assertEqual(response.getHeader('Location'), ENC_URL)
         self.assertEqual(result, ENC_URL)
 
+    def test_redirect_alreadyquoted(self):
+        # If a URL is already quoted, don't double up on the quoting
+        ENC_URL = 'http://example.com/M%C3%A4H'
+        response = self._makeOne()
+        result = response.redirect(ENC_URL)
+        self.assertEqual(result, ENC_URL)
+        self.assertEqual(response.getHeader('Location'), ENC_URL)
+
     def test__encode_unicode_no_content_type_uses_default_encoding(self):
         UNICODE = u'<h1>Tr\u0039s Bien</h1>'
         response = self._makeOne()