File download from package registry fails when `+` is used in the package path

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

File download fails with the below error if + character is used in the package name, uploading it works fine:

When we use the path below:

/api/v4/projects/:id/packages/generic/github.com/mirror/xx/xx/releases/download/21.0.9+11/xx-x+11-linux-amd64.tar.gz

We get encoded path:

xx%xx%2Freleases%2Fdownload%2F21.0.9%2B11%2Fxx-x21.0.9%2B11-linux-amd64.tar.gz

If we try to download the file we get the error:

  "exception.class": "Gitlab::Utils::DoubleEncodingError",
  "exception.message": "path xx%xx%2Freleases%2Fdownload%2F21.0.9%2B11%2Fxx-x21.0.9%2B11-linux-amd64.tar.gz is not allowed",

When we replace the + with - file download works fine.

This appears to happen when the path is double decoded here: https://gitlab.com/gitlab-org/gitlab/-/blob/master/gems/gitlab-utils/lib/gitlab/utils.rb#L20

And once the path is decoded a second time we get spaces in the path, hence probably the error:

xx/xx/releases/download/21.0.9 11/xx-x21.0.9 11-linux-amd64.tar.gz

According to the documentation + character should be allowed: https://docs.gitlab.com/user/packages/generic_packages/#valid-package-filename-format

Results of GitLab environment info

GitLab version: 18.5.2

GitLab internal ZD

Edited Nov 25, 2025 by 🤖 GitLab Bot 🤖

File download from package registry fails when + is used in the package path

Summary

Results of GitLab environment info

File download from package registry fails when `+` is used in the package path