iSubMusicStreamer icon indicating copy to clipboard operation
iSubMusicStreamer copied to clipboard

Published 20 hours ago verified publisher icon einsteinx2

Passwords with characters that have special meanings in URLs not being escaped

Open bilditup1 opened this issue 3 years ago • 6 comments

I've been having some login issues and have come to the conclusion that passwords with special characters--specifically, the plus sign "+", ampersand "&", and percent sign "%" (*), though this may not be exhaustive--are not being converted to html equivalents before being submitted. This results in a failure to log in, as the submitted password is either truncated or otherwise mangled (unsure, passwords not being logged and I already spent a couple hours on this). I would have assumed such a thing would be done automatically for you but apparently not. Looks like calling addingPercentEncoding when setting password in Classes/Models/API Models/Server.swift (I think? I am not familiar with language or framework and haven't used this paradigm in a bit) could solve this.

Tested with navidrome-head in a FreeBSD 12 jail. This occurs whether connecting directly or via reverse proxy. Web app and the one other iOS app I tried don't have this problem.

(*) interestingly unescaped "@" worked, which should not be legal but there ya go (ed: I guess if you're submitting a password as a regular query parameter then that will in fact work)

bilditup1 avatar Jun 12 '21 15:06 bilditup1

(it strikes me that this is not secure, but that's something that needs to change in the api)

bilditup1 avatar Jun 12 '21 16:06 bilditup1

This problem persists after enabling Basic Auth in the settings. I'm not sure if this is something that Navidrome even supports though, and don't wanna check the logs again rn

bilditup1 avatar Jun 12 '21 16:06 bilditup1

This problem persists, the randomly generated password I used for Airsonic didn't work in iSub, was trying to figure it out for a while, then I noticed in the nginx log that the & wasn't being escaped. Should be a simple fix to add url encoding to the password string.

alyssadev avatar Sep 14 '23 07:09 alyssadev

This problem persists

mmm, but see readme. unless someone has forked, this is abandonware now :/

bilditup1 avatar Sep 17 '23 04:09 bilditup1

Fair, i found this app pretty recently, i prefer it to substreamer for compatibility with airsonic, maybe i'll try patching in some features myself

alyssadev avatar Sep 17 '23 05:09 alyssadev

more power to you, good luck

bilditup1 avatar Sep 17 '23 08:09 bilditup1