quote usernames

allow @ to be left unescaped in URLs, quote everything in cookie names
2025-10-16 14:33:00 +00:00 · 2015-04-16 15:54:39 -07:00
parent 30eef4d353
commit d4a4d04183
2 changed files with 12 additions and 3 deletions
--- a/jupyterhub/orm.py
+++ b/jupyterhub/orm.py
@@ -7,6 +7,7 @@ from datetime import datetime, timedelta
 import errno
 import json
 import socket
+from urllib.parse import quote

 from tornado import gen
 from tornado.log import app_log
@@ -145,7 +146,7 @@ class Proxy(Base):
            )
        else:
            return "<%s [unconfigured]>" % self.__class__.__name__
-
+    
    def api_request(self, path, method='GET', body=None, client=None):
        """Make an authenticated API request of the proxy"""
        client = client or AsyncHTTPClient()
@@ -299,6 +300,11 @@ class User(Base):
                name=self.name,
            )
    
+    @property
+    def escaped_name(self):
+        """My name, escaped for use in URLs, cookies, etc."""
+        return quote(self.name, safe='@')
+    
    @property
    def running(self):
        """property for whether a user has a running server"""
@@ -333,9 +339,10 @@ class User(Base):
        db = inspect(self).session
        if hub is None:
            hub = db.query(Hub).first()
+        
        self.server = Server(
-            cookie_name='%s-%s' % (hub.server.cookie_name, self.name),
-            base_url=url_path_join(base_url, 'user', self.name),
+            cookie_name='%s-%s' % (hub.server.cookie_name, quote(self.name, safe='')),
+            base_url=url_path_join(base_url, 'user', self.escaped_name),
        )
        db.add(self.server)
        db.commit()