Skip to content

Ensure that an OTP's issuer and label values are escaped correctly #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 7, 2024
Merged

Ensure that an OTP's issuer and label values are escaped correctly #391

merged 3 commits into from
Apr 7, 2024

Conversation

josh-
Copy link
Contributor

@josh- josh- commented Mar 8, 2022
edited
Loading

Summary

This PR fixes/implements the following bugs/features:

  • Creating an OTP with an issuer/label that contains a space or other restricted characters does not properly escape the issuer/label

What existing problem does the pull request solve?**

Currently, if you create an OTP with an issuer that contains a space, for example:

var oneTimePassword = new OneTimePassword {
	Issuer = "Google Google",
	Label = "[email protected]",
	Secret = "pwq6 5q55"
};

and then call ToString on that oneTimePassword, that will return:

otpauth://totp/Google Google:[email protected]?secret=pwq65q55&issuer=Google%20Google

(note the first "Google Google" is not escaped, like the second one in the issuer parameter)

which then looks like this in Google Authenticator after scanning the resulting QR code:

File

This PR resolves this issue by correctly escaping both instances of the issuer in the URL, which then appears correctly in Google Authenticator:

otpauth://totp/Google%20Google:[email protected]?secret=pwq65q55&issuer=Google%20Google

Test plan

Test cases have been added.

Closing issues

N/A

@prvacy
Copy link

prvacy commented Mar 9, 2022
edited
Loading

I discovered the same problem yesterday, thank you for the fix! Also, MS Authenticator does not support unescaped URLs, so that fix is really important.

@tom-156842
Copy link

Thanks for this fix, it addresses issue #375.

I suggest also escaping the Label value, since an email address can contain / and ? characters.

@josh-
Copy link
Contributor Author

josh- commented Mar 15, 2022

Thanks for this fix, it addresses issue #375.

I suggest also escaping the Label value, since an email address can contain / and ? characters.

Thanks @tom-156842, done 👍

@josh- josh- changed the title Ensure that an OTP's issuer is correctly escaped when it contains a space Ensure that an OTP's issuer and label values are escaped correctly Mar 15, 2022
@ahwm ahwm mentioned this pull request Apr 13, 2022
Closed
@hdocsek
Copy link

hdocsek commented Oct 31, 2022
edited
Loading

@codebude Do you have any update on when this fix will be released?

doggy8088
doggy8088 approved these changes Aug 30, 2023
View reviewed changes
Copy link

@doggy8088 doggy8088 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codebude

@Shane32 Shane32 mentioned this pull request Apr 2, 2024
Merged
@Shane32
Copy link
Contributor

Shane32 commented Apr 6, 2024

All changes here look good. Generated QR codes scan properly with Google Authenticator. Tests have already been added 👍

@codebude codebude merged commit 56ace43 into codebude:master Apr 7, 2024
@codebude codebude mentioned this pull request Apr 7, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@doggy8088 doggy8088 doggy8088 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@josh- @prvacy @tom-156842 @hdocsek @Shane32 @doggy8088 @codebude