From: Tom Hacohen <tasn@users.noreply.github.com>
Date: Fri, 4 Jan 2019 02:21:55 +0000
Subject: Fixed #30070,
 CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.

Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.

Backported to 1.7.11 by Chris Lamb <lamby@debian.org>.
---
 django/views/defaults.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/django/views/defaults.py b/django/views/defaults.py
index 77e0918..0d69db5 100644
--- a/django/views/defaults.py
+++ b/django/views/defaults.py
@@ -4,6 +4,7 @@ from django import http
 from django.template import (Context, RequestContext,
                              loader, Template, TemplateDoesNotExist)
 from django.utils.deprecation import RemovedInDjango18Warning
+from django.utils.http import urlquote
 from django.views.decorators.csrf import requires_csrf_token
 
 
@@ -26,9 +27,9 @@ def page_not_found(request, template_name='404.html'):
     except TemplateDoesNotExist:
         template = Template(
             '<h1>Not Found</h1>'
-            '<p>The requested URL {{ request_path }} was not found on this server.</p>')
+            '<p>The requested resource was not found on this server.</p>')
         content_type = 'text/html'
-    body = template.render(RequestContext(request, {'request_path': request.path}))
+    body = template.render(RequestContext(request, {'request_path': urlquote(request.path)}))
     return http.HttpResponseNotFound(body, content_type=content_type)