fix #7034: URL decode authorization header token

author: Christian Grothoff <christian@grothoff.org> 2021-11-20 23:37:44 +0100
committer: Christian Grothoff <christian@grothoff.org> 2021-11-20 23:37:44 +0100
commit: 0f168f2beb607cbe681f1b37be5d92585fa7922b (patch)
tree: df350c1adadfc5035966f1d4234f5698571bba38 /src/lib
parent: 861828957b4b2004656de7eda4bc4f313a218277 (diff)
2 files changed, 25 insertions, 2 deletions
diff --git a/src/lib/merchant_api_post_instance_auth.c b/src/lib/merchant_api_post_instance_auth.c
index 382e9c42..e2936c5c 100644
--- a/src/lib/merchant_api_post_instance_auth.c
+++ b/src/lib/merchant_api_post_instance_auth.c
@@ -174,11 +174,28 @@ TALER_MERCHANT_instance_auth_post (
   }
   else
   {
+    char *enc;
+
+    if (0 != strncasecmp (RFC_8959_PREFIX,
+                          auth_token,
+                          strlen (RFC_8959_PREFIX)))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Authentication token must start with `%s'\n",
+                  RFC_8959_PREFIX);
+      GNUNET_free (iaph->url);
+      GNUNET_free (iaph);
+      return NULL;
+    }
+    (void) GNUNET_STRINGS_urlencode (auth_token,
+                                     strlen (auth_token),
+                                     &enc);
     req_obj = GNUNET_JSON_PACK (
       GNUNET_JSON_pack_string ("method",
                                "token"),
       GNUNET_JSON_pack_string ("token",
-                               auth_token));
+                               enc));
+    GNUNET_free (enc);
   }
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
               "Requesting URL '%s'\n",
diff --git a/src/lib/merchant_api_post_instances.c b/src/lib/merchant_api_post_instances.c
index 0fa7063f..19104aa5 100644
--- a/src/lib/merchant_api_post_instances.c
+++ b/src/lib/merchant_api_post_instances.c
@@ -182,6 +182,8 @@ TALER_MERCHANT_instances_post (
 
   if (NULL != auth_token)
   {
+    char *enc;
+
     if (0 != strncasecmp (RFC_8959_PREFIX,
                           auth_token,
                           strlen (RFC_8959_PREFIX)))
@@ -191,11 +193,15 @@ TALER_MERCHANT_instances_post (
                   RFC_8959_PREFIX);
       return NULL;
     }
+    (void) GNUNET_STRINGS_urlencode (auth_token,
+                                     strlen (auth_token),
+                                     &enc);
     auth_obj = GNUNET_JSON_PACK (
       GNUNET_JSON_pack_string ("method",
                                "token"),
       GNUNET_JSON_pack_string ("token",
-                               auth_token));
+                               enc));
+    GNUNET_free (enc);
   }
   else
   {
author	Christian Grothoff <christian@grothoff.org>	2021-11-20 23:37:44 +0100
committer	Christian Grothoff <christian@grothoff.org>	2021-11-20 23:37:44 +0100
commit	0f168f2beb607cbe681f1b37be5d92585fa7922b (patch)
tree	df350c1adadfc5035966f1d4234f5698571bba38 /src/lib
parent	861828957b4b2004656de7eda4bc4f313a218277 (diff)