Characters in 'secret' POST Variable Break Results

Question

Characters in 'secret' POST Variable Break Results

AndrewPaglusch opened this issue 8 years ago · 0 comments

Adding an ampersand in the secret variable when using the nostyle=true argument to generate links will break the resulting message.

For example:

Request
curl -s -X POST -d "nostyle=true&secret=1&2&3&4&5" http://password.paglusch.com

Will return:
http://password.paglusch.com/?k=OeLX-jHAm-Wc6ijRMvScfoYFG1p9mr2dwSTSPafRoss$

Which is recovered incorrectly:
curl -s -X POST -d "nostyle=true" http://password.paglusch.com/?k=OeLX-jHAm-Wc6ijRMvScfoYFG1p9mr2dwSTSPafRoss$ 1

Requiring incoming data in the secret argument to be Base64 encoded beforehand may solve this. The "/" character, which is occasionally returned by Base64 encoding, may also cause problems. This will have to be tested.