Ref T6755. See discussion at https://fin1te.net/articles/safecurl-capture-the-bitcoins-post-mortem/.
We already handle these cases safely, but add test coverage to underscore that.
Basically, in all these cases, we:
- parse the ambiguous URI with parse_url(), which chooses some interpretation; then
- emit an unambiguous URI which has only one reasonable interpretation.
So it's OK if we don't choose the same interpretation as cURL on ambiguous URIs, because we only pass unambiguous URIs to cURL.