Closed shellster closed 4 years ago
All passwords are send URL Encoded and only decoded right before saving. Have you seen this to be an issue and could you let me know how to reproduce? :)
If someone uses the Web Application, they will not run into problems. This issue is strictly around preventing accidental user error. Observe the following request:
Invoke-WebRequest -Uri https://pw.cyberdrain.com/create -Method POST -Body 'password=Thiswill=break'
Obviously, this is a user mistake (not URL encoding the parameter), but it is a fairly understandable mistake, hence in my PR why I explicitly check for "=" and store everything after the first one. If you don't believe it to be a serious enough issue, I definitely understand.
Good call, this actually makes me think of creating another endpoint for programmatic access too. I'll integrate your changes.
Admittedly, this issue is user error, but if a user passes in a Password parameter and does not correctly escape a "=" sign, the current method of grabbing the password value, will only grab everything to the right of the last "=" sign. This could cause serious, unintended consequences. There is already a separate issue for the not allowing passing of a password as a GET parameter.