Passwords With percent sign causes Authentication Error in GitAuthorizeAttribute

[spivack1212-zz]

If a user's password contains a percent sign, the GitAuthorizeAttribute.IsUserAuthorized() method will incorrectly decode the password which always results in an Authentication failure. This is due to the use of Uri.UnescapeDataString() to extract the password out of the decoded auth header value.

For example, Password%4299 would be decoded to PasswordB99 before the authentication attempt.

This is with the following config options:

<add key="AuthenticationProvider" value="Cookies" />
<add key="MembershipService" value="Internal" />

[willdean]

Thanks for this - I think you're right and there's no reason for those UnescapeDataString calls at all - the whole token is base-64 encoded anyway, so there would be no need for further escaping, and as far as I can tell it isn't part of the HTTP spec to URI-encode name/password before building the base-64 string.

The calls got added before my time, and as part of a large modification by someone who's no longer involved, so I'm not really sure of their history.

If you concur that they're a completely unnecessary mistake we'll remove them.

[rogerjak]

Same issue for me, but with question mark (?) in the password. (AD integration)