From 4e13e69de3c1e59be045dedd043d5566dcae00ff Mon Sep 17 00:00:00 2001
From: Petr Mikhalicin <mkh199740@mail.ru>
Date: Sat, 27 Dec 2025 01:30:37 +0500
Subject: [PATCH] plugin otp: Fix handling of unknown otpauth uri parameters

OTP uri parameters is key value options separated by '&'.
So, we on unknown params we have to reject also everything what was
behind '&'

Example:
otpauth://totp/kek?issuer=petya%40IPARTKN.TEST&secret=1234567890&digits=6&algorithm=SHA1&period=30

"algorithm" was unknown. So, next token after it was "SHA1&period", not "period"

Change-Id: I48eb198fd46212c6422dd8eac214adafdf3a52eb
---
 apps/plugins/otp.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/apps/plugins/otp.c b/apps/plugins/otp.c
index dcd6cca14f..7dab446419 100644
--- a/apps/plugins/otp.c
+++ b/apps/plugins/otp.c
@@ -331,6 +331,10 @@ static void add_acct_file(void)
                 if(!tok)
                     continue;
 
+                char* tok_val = rb->strtok_r(NULL, "&", &save);
+                if(!tok_val)
+                    continue;
+
                 if(!rb->strcmp(tok, "secret"))
                 {
                     if(have_secret)
@@ -339,8 +343,7 @@ static void add_acct_file(void)
                         goto fail;
                     }
                     have_secret = true;
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    if((accounts[next_slot].sec_len = base32_decode(accounts[next_slot].secret, SECRET_MAX, tok)) <= 0)
+                    if((accounts[next_slot].sec_len = base32_decode(accounts[next_slot].secret, SECRET_MAX, tok_val)) <= 0)
                         goto fail;
                 }
                 else if(!rb->strcmp(tok, "counter"))
@@ -350,8 +353,7 @@ static void add_acct_file(void)
                         rb->splash(HZ * 2, "Counter parameter specified for TOTP!? Skipping...");
                         goto fail;
                     }
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].hotp_counter = rb->atoi(tok);
+                    accounts[next_slot].hotp_counter = rb->atoi(tok_val);
                 }
                 else if(!rb->strcmp(tok, "period"))
                 {
@@ -360,13 +362,11 @@ static void add_acct_file(void)
                         rb->splash(HZ * 2, "Period parameter specified for HOTP!? Skipping...");
                         goto fail;
                     }
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].totp_period = rb->atoi(tok);
+                    accounts[next_slot].totp_period = rb->atoi(tok_val);
                 }
                 else if(!rb->strcmp(tok, "digits"))
                 {
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].digits = rb->atoi(tok);
+                    accounts[next_slot].digits = rb->atoi(tok_val);
                     if(accounts[next_slot].digits < 1 || accounts[next_slot].digits > 9)
                     {
                         rb->splashf(HZ * 2, "Digits parameter not in acceptable range, skipping.");