-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: escape /
in names and versions
#123
base: main
Are you sure you want to change the base?
Conversation
AFAIK
The tests come from https://github.com/package-url/purl-spec/blob/master/test-suite-data.json . |
Yes, I would say the spec is somewhat ambiguous. The spec does say this:
The second line refers to the separator. And given that the name must be a percent-encoded string, I would think a |
I mean, I don't think there's a package type which allows slashes in the name, and I don't think it would be a good idea to make a package type that would include slashes in the name. The implementations should do something consistent and the tests in the spec should specify what that is. |
In the spec, no, there isn't a package type that has |
Just thought of another use case that might want slashes in the name. If a company is using a monorepo with multiple product in one repo, you might have, say, github/org/repo_name/product_name where the actual name would be "repo_name/product_name." |
if name: | ||
name = name.replace("/", "%2F") | ||
if version: | ||
version = version.replace("/", "%2F") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should actually use urllib.parse.quote(the_string, safe='')
This will properly escape slashes in both names and versions of packages.
In addition, I've synced the tests with the ones in https://github.com/package-url/packageurl-dotnet.