[Bug] Auth with unsecure URL applies htmlspecialchars() escape before username/password comparison

[Draky50110]

Describe the bug

Hello.

I tried the "unsecure" method to login : https://subdomain.domain.fr/frss/p/i/?c=auth&a=login&u=USER&p=PASSWORD

It works perfectly if password is without special char inside like "Toto1234" but changing it to "Toto&1234" will not work anywork and gives a "invalid ID" error message.

How could I use this method with a more secure password ?

Thanks

To Reproduce

1. Go to '…'
2. Click on '…'
3. Scroll down to '…'
4. See error

Expected behavior

Use a password with special char inside.
Tested with "&".

FreshRSS version

1.24.3

Environment information

PHP 8.2
MariaDB 10.11
Apache 2.4.59

Additional context

No response

[Frenzie]

In that context you'd have to encode it as %26, because & is a special character in the URL for query parameters. You can run encodeURIComponent() in your browser to do it for you.

[Draky50110]

No, it does not work.
I tried this : https://xxx.com/frss/p/i/?c=auth&a=login&u=user.test&p=MyPassWord%26 and it gives me an invalid ID message.

Log shows : Unsafe password mismatch for user user.test

[Frenzie]

It seems to have been turned into &. Somewhere a htmlspecialchars_utf8() must be applied that shouldn't be.

[Frenzie]

As a workaround, it should suffice to avoid &, ", ', <, and >. Anything else should be left alone.

Pinging @Alkarex in case he knows where to fix this without investigating in depth.

[Frenzie]

Anything else should be left alone.

But other characters relevant to URLs like # will of course still have to be encoded as %23, or they won't reach the server at all.

[Draky50110]

Ok, thanks for all.

Will change password AND wait for a fix ;)