quote characters in the url query that are safe for Django but not for oauthlib

oauth2_provider/backends.py

@@ -1,9 +1,14 @@
 from oauthlib import oauth2
-from oauthlib.common import urlencode
+from oauthlib.common import urlencode, urlencoded, quote
 
 from .exceptions import OAuthToolkitError, FatalClientError
 from .oauth2_validators import OAuth2Validator
 
+try:
+    from urlparse import urlparse, urlunparse
+except ImportError:
+    from urllib.parse import urlparse, urlunparse
+
 
 class OAuthLibCore(object):
     """
@@ -15,12 +20,24 @@ def __init__(self, server=None):
         """
         self.server = server or oauth2.Server(OAuth2Validator())
 
+    def _get_escaped_full_path(self, request):
+        """
+        Django considers "safe" some characters that aren't so for oauthlib. We have to search for
+        them and properly escape.
+        """
+        parsed = list(urlparse(request.get_full_path()))
+        unsafe = set(c for c in parsed[4]).difference(urlencoded)
+        for c in unsafe:
+            parsed[4] = parsed[4].replace(c, quote(c, safe=''))
+
+        return urlunparse(parsed)
+
     def _extract_params(self, request):
         """
-        Extract parameters from the Django request object. Such parameters will then be passed to OAuthLib to build its
-        own Request object
+        Extract parameters from the Django request object. Such parameters will then be passed to
+        OAuthLib to build its own Request object
         """
-        uri = request.build_absolute_uri()
+        uri = self._get_escaped_full_path(request)
         http_method = request.method
         headers = request.META.copy()
         if 'wsgi.input' in headers:
@@ -86,7 +103,8 @@ def create_token_response(self, request):
         """
         uri, http_method, body, headers = self._extract_params(request)
 
-        url, headers, body, status = self.server.create_token_response(uri, http_method, body, headers)
+        url, headers, body, status = self.server.create_token_response(uri, http_method, body,
+                                                                       headers)
         return url, headers, body, status
 
     def verify_request(self, request, scopes):
@@ -104,7 +122,8 @@ def verify_request(self, request, scopes):
 
 def get_oauthlib_core():
     """
-    Utility function that take a request and returns an instance of `oauth2_provider.backends.OAuthLibCore`
+    Utility function that take a request and returns an instance of
+    `oauth2_provider.backends.OAuthLibCore`
     """
     from oauth2_provider.oauth2_validators import OAuth2Validator
     from oauthlib.oauth2 import Server

oauth2_provider/tests/__init__.py

@@ -10,3 +10,4 @@
 from .test_rest_framework import *
 from .test_application_views import *
 from .test_decorators import *
+from .test_oauth2_backends import *

oauth2_provider/tests/test_oauth2_backends.py

@@ -0,0 +1,18 @@
+from django.test import TestCase, RequestFactory
+
+
+from ..backends import get_oauthlib_core
+
+
+class TestOAuthLibCore(TestCase):
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_validate_authorization_request_unsafe_query(self):
+        auth_headers = {
+            'HTTP_AUTHORIZATION': 'Bearer ' + "a_casual_token",
+        }
+        request = self.factory.get("/fake-resource?next=/fake", **auth_headers)
+
+        oauthlib_core = get_oauthlib_core()
+        oauthlib_core.verify_request(request, scopes=[])