KelvinTegelaar / AzPwPush

11 stars 10 forks source link

Password Creation Method may accidentally store wrong password #5

Closed shellster closed 4 years ago

shellster commented 4 years ago

Admittedly, this issue is user error, but if a user passes in a Password parameter and does not correctly escape a "=" sign, the current method of grabbing the password value, will only grab everything to the right of the last "=" sign. This could cause serious, unintended consequences. There is already a separate issue for the not allowing passing of a password as a GET parameter.

KelvinTegelaar commented 4 years ago

All passwords are send URL Encoded and only decoded right before saving. Have you seen this to be an issue and could you let me know how to reproduce? :)

shellster commented 4 years ago

If someone uses the Web Application, they will not run into problems. This issue is strictly around preventing accidental user error. Observe the following request:

Invoke-WebRequest -Uri https://pw.cyberdrain.com/create -Method POST -Body 'password=Thiswill=break'

Obviously, this is a user mistake (not URL encoding the parameter), but it is a fairly understandable mistake, hence in my PR why I explicitly check for "=" and store everything after the first one. If you don't believe it to be a serious enough issue, I definitely understand.

KelvinTegelaar commented 4 years ago

Good call, this actually makes me think of creating another endpoint for programmatic access too. I'll integrate your changes.