mirror of
https://github.com/openSUSE/osc.git
synced 2025-09-06 05:08:42 +02:00
Without escaping the % character, the download URL could be subject to string formatting (depending on the subsequent characters). For instance, if the url attribute's value of a buildinfo's path element contains the substring "c_c%2B%2B", the "%2B" is interpreted as a format string (see issue #965), which is wrong ("B" is not a valid format character at all). In order to avoid this, escape all % characters in the download urls. Note: escaping the % characters in the download url itself is OK because we only intend to "format" the path. Note: we do not escape the % characters for urls from the config file (implicit assumption: the user already correctly escaped the urls (whether this assumption is sensible or not is debatable, of course)). Fixes: #965 ("unsupported format character 'B' (0x42) at index 66")