When passing in a URL encoded name to PackageURL.from_string, it de-encodes the string, which is correct to have the actual name. However, when rendering this out as a string, it does not re-encode the string, resulting in an incorrect PURL.
>>> import packageurl
>>> from urllib.parse import quote_plus
>>> quote_plus("parent/child")
'parent%2Fchild'
>>> p = packageurl.PackageURL.from_string(f"pkg:my_type/my_namepace/{quote_plus('parent/child')}/@1234")
>>> p
PackageURL(type='my_type', namespace='my_namepace', name='parent/child', version='1234', qualifiers={}, subpath=None)That is correct, as the name is parent/child. However:
>>> str(p)
'pkg:my_type/my_namepace/parent/child@1234'
Which is an invalid/incorrect PURL.
The fix looks easy. This line https://github.com/package-url/packageurl-python/blob/main/src/packageurl/__init__.py#L458 instead of being
looks like it should be
purl.append(urllib.parse.quote_plus(name))
When passing in a URL encoded name to
PackageURL.from_string, it de-encodes the string, which is correct to have the actual name. However, when rendering this out as a string, it does not re-encode the string, resulting in an incorrect PURL.That is correct, as the name is
parent/child. However:Which is an invalid/incorrect PURL.
The fix looks easy. This line https://github.com/package-url/packageurl-python/blob/main/src/packageurl/__init__.py#L458 instead of being
looks like it should be