When pyramid.debug_authorization is enabled, invalid Unicode HTTP request raises URLDecodeError

[mckea]

Defining an error view for URLDecodeError will handle HTTP requests containing invalid Unicode characters, but if pyramid.debug_authorization is enabled in the application config file, a URLDecodeError is still raised on this line:

pyramid/src/pyramid/viewderivers.py

Line 366 in 3739a77

url = getattr(request, 'url', None)

To reproduce, define an error view for URLDecodeError:

from pyramid.exceptions import URLDecodeError
from pyramid.httpexceptions import HTTPBadRequest
from pyramid.security import NO_PERMISSION_REQUIRED

@view_config(                                                                    
    context=URLDecodeError,                                                      
    permission=NO_PERMISSION_REQUIRED                                            
)                                                                                
def url_decode_error_view(context, request):                                     
    return HTTPBadRequest()

In the application config file, set pyramid.debug_authorization = true

Make a request containing invalid unicode:

wget http://127.0.0.1:6543/%EF%BF

This will raise an exception and return a 500.

Repeating this with pyramid.debug_authorization = false will handle the exception properly and return a 400.

[mmerickel]

Thanks for reporting this - I've uncovered a couple bugs in the code related to this.

1. I recommend that you use exception_view_config as there are some explicit optimizations in the code.
2. Even if you did that, there were still some issues that I've fixed in fix secured views to avoid being applied to exception views #3741.