Allow url punctuation as defined in RFC 3986 section 2.3

CHANGELOG.txt

@@ -25,6 +25,7 @@ Changelog
  * Fix: Prevent duplicate notification messages on page locking (Jacob Topp-Mugglestone)
  * Fix: Fix InlinePanel item non field errors not visible (Storm Heg)
  * Fix: `{% image ... as var %}` now clears the context variable when passed None as an image (Maylon Pedroso)
+ * Fix: Allow RFC 3986-permitted punctuation in custom URL routes such as `RoutablePageMixin` (Storm Heg)
 
 
 2.8 (03.02.2020)

docs/releases/2.9.rst

@@ -39,6 +39,7 @@ Bug fixes
  * Prevent duplicate notification messages on page locking (Jacob Topp-Mugglestone)
  * Rendering of non field errors for InlinePanel items (Storm Heg)
  * ``{% image ... as var %}`` now clears the context variable when passed None as an image (Maylon Pedroso)
+ * Allow RFC 3986-permitted punctuation in custom URL routes such as ``RoutablePageMixin`` (Storm Heg)
 
 
 Upgrade considerations

wagtail/contrib/routable_page/tests.py

@@ -130,6 +130,18 @@ class TestRoutablePage(TestCase):
 
         self.assertContains(response, "EXTERNAL VIEW: ARG NOT SET")
 
+    def test_get_external_view_allows_punctuation(self):
+        response = self.client.get(self.routable_page.url + "external/joe-._~bloggs/")
+
+        self.assertContains(response, "EXTERNAL VIEW: joe-._~bloggs")
+
+    @override_settings(WAGTAIL_APPEND_SLASH=False, APPEND_SLASH=False)
+    def test_get_external_view_allows_punctuation_no_append_slash_with_slash(self):
+        # We are testing this with a slash because of this issue: https://github.com/wagtail/wagtail/issues/2871
+        response = self.client.get(self.routable_page.url + "external/joe-._~bloggs/")
+
+        self.assertContains(response, "EXTERNAL VIEW: joe-._~bloggs")
+
     def test_routable_page_can_have_instance_bound_descriptors(self):
         # This descriptor pretends that it does not exist in the class, hence
         # it raises an AttributeError when class bound. This is, for instance,

wagtail/core/urls.py

@@ -5,16 +5,20 @@ from django.contrib.auth import views as auth_views
 from wagtail.core import views
 from wagtail.core.utils import WAGTAIL_APPEND_SLASH
 
+# Allowed punctuation from RFC 3986
+# Section 2.3: "-" / "." / "_" / "~"
+ALLOWED_PUNCTUATION = r"\-._~"
+
 if WAGTAIL_APPEND_SLASH:
     # If WAGTAIL_APPEND_SLASH is True (the default value), we match a
     # (possibly empty) list of path segments ending in slashes.
     # CommonMiddleware will redirect requests without a trailing slash to
     # a URL with a trailing slash
-    serve_pattern = r'^((?:[\w\-]+/)*)$'
+    serve_pattern = r"^((?:[\w{}]+/)*)$".format(ALLOWED_PUNCTUATION)
 else:
     # If WAGTAIL_APPEND_SLASH is False, allow Wagtail to serve pages on URLs
     # with and without trailing slashes
-    serve_pattern = r'^([\w\-/]*)$'
+    serve_pattern = r"^([\w{}/]*)$".format(ALLOWED_PUNCTUATION)
 
 
 WAGTAIL_FRONTEND_LOGIN_TEMPLATE = getattr(

wagtail/images/tests/tests.py

@@ -337,8 +337,8 @@ class TestFrontendServeView(TestCase):
         # Generate signature
         signature = generate_signature(self.image.id, 'fill-800x600')
 
-        # Get the image
-        response = self.client.get(reverse('wagtailimages_serve', args=(signature, self.image.id, 'fill-800x600')) + 'test/test.png')
+        # Get the image. Follow redirect because Wagtail attempts to serve the url as "." is part of the url match.
+        response = self.client.get(reverse('wagtailimages_serve', args=(signature, self.image.id, 'fill-800x600')) + 'test/test.png', follow=True)
 
         # URL pattern should not match
         self.assertEqual(response.status_code, 404)