https://bugs.gentoo.org/966140
https://github.com/curl/wcurl/commit/65546bae0164a97d89d42176e366d9c7c7796261

From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Sun, 9 Nov 2025 14:30:34 +0800
Subject: [PATCH] wcurl: Really fix CVE-2025-11563

When we pass a string to is_safe_percent_encode, it always begins with
"%'.  But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.

Also update the test suite to fix the false positive.

Signed-off-by: Xi Ruoyao <xry111@xry111.site>

--- a/scripts/wcurl
+++ b/scripts/wcurl
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
 # characters.
 # 2F = /
 # 5C = \
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
 
 # Whether to invoke curl or not.
 DRY_RUN="false"