Describe the bug

The normalisation of a URL does not process the space character (0x20) according to
section 3.4.1.2 of RFC 5849.

The implementation is in the normalize_base_string_uri function in oauthlib/oauth1/rfc5849/signature.py.

How to reproduce

Invoke normalize_base_string_uri with a URI that contains a space character (e.g. the example http://EXAMPLE.COM:80/r v/X?id=123 from the RFC, there is a space between the "r" and the "v").

The returned value is http://example.com/r v/X, where the space is not percent encoded.

Expected behavior

The returned value should have the space percent encoded: http://example.com/r%20v/X

Additional context

Please provide any further context here.

• Are you using OAuth1, OAuth2 or OIDC?

This was discovered when using OAuth1 with RSA-SHA1. The signature verification was failing, because the base string that was signed is different between the client and the server. The client was signing a base string that had the space percent encoded, but the server used a base string that didn't have the space encoded correctly. Note: the correct base string encodes the normalised URI, so it actually will contain "%2520" (the percent encoding of "%20").

• Are you writing client or server side code?

Server side code.

Python unit test code, using examples from the RFC:

• test_rfc5849.py