Android: OCS Share API. password parameter not x-www-form-encoded
Actual behaviour
Example
When I put _Hello%20World_ as password the client doesn't encode the value and sends it without any change to the server.
So, when I navigate to the url returned by the server and introduce _Hello%20World_ as password I get password authentication error... The password that I should introduce to get access is _Hello World_
Other example
If I choose _Hello&World_ as password -> The server takes _Hello_ as password
Expected behaviour
The password should be exactly what I typed
Steps to reproduce
The password parameter in https://doc.owncloud.org/server/9.1/developer_manual/core/ocs-share-api.html#update-share is sent by the android client to the Server without x-www-form-encoding
The windows desktop client is sending the password in the right way , so the server doesn't get messed up
Can this problem be reproduced with the official owncloud server?
(url: https://demo.owncloud.org, user: test, password: test)
Don't know
Environment data
Android version:
7.1.1
Device model:
Nexus 5x
Stock or customized system:
Stock
ownCloud app version:
2.1.2
ownCloud server version:
9.1.1
Logs
Web server error log
ownCloud log (data/owncloud.log)
marcos-guerrero
All 6 comments
Thanks for the report @marcos-guerrero
We keep it in mind for the following releases
jesmrec
on 28 Dec 2016
@davivel @davigonz
this is a security issue and should be included in the next release, do you think it will be possible?
jesmrec
on 28 Dec 2016
Sure, I will check it in the next days.
davigonz
on 29 Dec 2016
@jesmrec , @davivel , this bug is fixed, pending to review and pass QA
davigonz
on 30 Dec 2016
Approved.
CC @davigonz @davivel
jesmrec
on 10 Jan 2017
Merged and ready to go in release 2.3.0
davivel
on 11 Jan 2017
Related issues
jesmrec
路
7Comments
jesmrec
路
4Comments
jesmrec
路
3Comments
michaelstingl
路
4Comments
mbrinkmann
路
7Comments