Pluses and spaces (#14)

* escape plus signs in qualifier values * include tests for unsupported package types * document additional escaping
phylum-dev · Nov 20, 2023 · c71730c · c71730c
1 parent fb2b188
commit c71730c
Show file tree

Hide file tree

Showing 5 changed files with 473 additions and 90 deletions.
diff --git a/purl/src/format.rs b/purl/src/format.rs
@@ -20,7 +20,9 @@ const PATH: &AsciiSet = &QUERY.add(b'?').add(b'`').add(b'{').add(b'}');
 // be escaped except when used as a separator.
 const PURL_PATH: &AsciiSet = &PATH.add(b'@').add(b'?').add(b'#');
 const PURL_PATH_SEGMENT: &AsciiSet = &PURL_PATH.add(b'/');
-const PURL_QUERY: &AsciiSet = &QUERY.add(b'@').add(b'?').add(b'#');
+// For compatibility with PURL implementations that treat qualifiers as
+// form-urlencoded, escape '+' as well.
+const PURL_QUERY: &AsciiSet = &QUERY.add(b'@').add(b'?').add(b'#').add(b'+');
 const PURL_FRAGMENT: &AsciiSet = &FRAGMENT.add(b'@').add(b'?').add(b'#');
 
 impl<T> fmt::Display for GenericPurl<T>

diff --git a/purl/src/package_type.rs b/purl/src/package_type.rs
@@ -44,6 +44,18 @@ use crate::{
 ///   but this implementation does not convert them to lowercase. Go modules can
 ///   have mixed case names, and mixed case names are distinct.
 ///   ([package-url/purl-spec#196])
+/// - Some implementations treat '+' in qualifiers as '+' and some
+///   implementations treat '+' as ' '. This implementation treats '+' as '+'
+///   because there is nothing in the spec that says they should be ' '.
+///   However, even though the spec never references x-www-form-urlencoded,
+///   qualifiers look like x-www-form-urlencoded, and in x-www-form-urlencoded,
+///   '+' means ' '. For compatibility with other implementations, this
+///   implementation escapes '+' as %2B in qualifiers, avoiding ambiguous
+///   parsing at the cost of making the PURL more difficult for humans to read.
+///   Some implementations also convert '+' to ' ' in other parts of the PURL,
+///   including in version numbers where they can be common, but this
+///   implementation does not escape '+' there because that is an implementation
+///   error, not a spec ambiguity.
 ///
 /// [package-url/purl-spec#226]: https://github.com/package-url/purl-spec/issues/226
 /// [package-url/purl-spec#165]: https://github.com/package-url/purl-spec/pull/165