Encode + characters in URLs as %2B #12312
Description
Problem
Using unescaped + characters in URLs can cause issues in some scenarios. crates.io currently handles them correctly, but e.g. S3 is not quite following the spec.
cargo currently does not perform any escaping on URLs with + characters in them.
Proposed Solution
The safest way forward would be for cargo to encode + characters as %2B, which should be seen as equivalent by all spec-conforming implementations.
While crates.io can handle + correctly, the current behavior could cause issues during incidents where the download endpoint is switched to target S3 directly.
More information and a detailed investigation is available in rust-lang/crates.io#4891 (comment)
Notes
I guess technically this could be seen as a breaking change, but it could also be interpreted as a low-impact bugfix that would only break third-party registry implementations that didn't follow the spec previously. It might make sense to hide this behind a feature flag initially to give the bigger third-party implementers a chance of testing the change with their infrastructure before it is enabled for everyone.