From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Sun, 9 Nov 2025 14:30:34 +0800
Subject: [PATCH] wcurl: Really fix CVE-2025-11563

When we pass a string to is_safe_percent_encode, it always begins with
"%'.  But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.

Also update the test suite to fix the false positive.

Signed-off-by: Xi Ruoyao <xry111@xry111.site>

Backported-by: Samuel Henrique <samueloph@debian.org>
 * Modify wcurl patch to apply on curl sources by changing the location of the
   wcurl script from wcurl to scripts/wcurl.
 * Drop changes to wcurl's tests as they are not in the curl sources.
---
 scripts/wcurl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/wcurl b/scripts/wcurl
index 56c04ba..cbe7b1a 100755
--- a/scripts/wcurl
+++ b/scripts/wcurl
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
 # characters.
 # 2F = /
 # 5C = \
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"

 # Whether to invoke curl or not.
 DRY_RUN="false"