always encode query parameters in sorted order

cmeerw · cmeerw · commit 58c22fac7231 · 2018-08-16T20:14:09.000+01:00
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -1221,7 +1221,7 @@ def handle(self):
                                                 redirect_url_tuple.netloc,
                                                 redirect_url_tuple.path,
                                                 redirect_url_tuple.params,
-                                                urllib_.urlencode(query, doseq=True),
+                                                urllib_.urlencode(list(sorted(query.items())), doseq=True),
                                                 redirect_url_tuple.fragment)
                                            )
 
@@ -1239,7 +1239,7 @@ def handle(self):
                                                     redirect_url_tuple.netloc,
                                                     redirect_url_tuple.path,
                                                     redirect_url_tuple.params,
-                                                    urllib_.urlencode(query, doseq=True),
+                                                    urllib_.urlencode(list(sorted(query.items())), doseq=True),
                                                     redirect_url_tuple.fragment )
                                                )
                 raise exceptions.Redirect(redirect_url)
diff --git a/test/test_actions.py b/test/test_actions.py
@@ -325,7 +325,7 @@ def opendb(username):
 
         # test if we are logged out; should kill the @action=logout
         self.form.value[:] = []         # clear out last test's setup values
-        self.assertLoginRaisesRedirect("http://whoami.com/path/issue39?%40startwith=0&%40pagesize=50",
+        self.assertLoginRaisesRedirect("http://whoami.com/path/issue39?%40pagesize=50&%40startwith=0",
                                  'foo', 'right', "http://whoami.com/path/issue39?@action=logout&@pagesize=50&@startwith=0")
 
     def testInvalidLoginRedirect(self):
@@ -336,12 +336,12 @@ def opendb(username):
         self.client.opendb = opendb
 
         # basic test with query
-        self.assertLoginRaisesRedirect("http://whoami.com/path/issue?%40error_message=Invalid+login&%40action=search",
+        self.assertLoginRaisesRedirect("http://whoami.com/path/issue?%40action=search&%40error_message=Invalid+login",
                                  'foo', 'wrong', "http://whoami.com/path/issue?@action=search")
 
         # test that old messages are removed
         self.form.value[:] = []         # clear out last test's setup values
-        self.assertLoginRaisesRedirect("http://whoami.com/path/issue?%40error_message=Invalid+login&%40action=search",
+        self.assertLoginRaisesRedirect("http://whoami.com/path/issue?%40action=search&%40error_message=Invalid+login",
                                  'foo', 'wrong', "http://whoami.com/path/issue?@action=search&@ok_messagehurrah+we+win&@error_message=blam")
 
         # test when there is no __came_from specified
