plugin otp: Fix handling of unknown otpauth uri parameters

OTP uri parameters is key value options separated by '&'. So, we on unknown params we have to reject also everything what was behind '&' Example: otpauth://totp/kek?issuer=petya%40IPARTKN.TEST&secret=1234567890&digits=6&algorithm=SHA1&period=30 "algorithm" was unknown. So, next token after it was "SHA1&period", not "period" Change-Id: I48eb198fd46212c6422dd8eac214adafdf3a52eb
2026-01-22 01:30:35 -05:00 · 2025-12-27 01:30:37 +05:00 · 2025-12-27 01:30:37 +05:00 · 4e13e69de3
commit 4e13e69de3
parent ca57184ff0
1 changed files with 8 additions and 8 deletions
--- a/apps/plugins/otp.c
+++ b/apps/plugins/otp.c
@ -331,6 +331,10 @@ static void add_acct_file(void)
                if(!tok)
                    continue;

+                char* tok_val = rb->strtok_r(NULL, "&", &save);
+                if(!tok_val)
+                    continue;
+
                if(!rb->strcmp(tok, "secret"))
                {
                    if(have_secret)
@ -339,8 +343,7 @@ static void add_acct_file(void)
                        goto fail;
                    }
                    have_secret = true;
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    if((accounts[next_slot].sec_len = base32_decode(accounts[next_slot].secret, SECRET_MAX, tok)) <= 0)
+                    if((accounts[next_slot].sec_len = base32_decode(accounts[next_slot].secret, SECRET_MAX, tok_val)) <= 0)
                        goto fail;
                }
                else if(!rb->strcmp(tok, "counter"))
@ -350,8 +353,7 @@ static void add_acct_file(void)
                        rb->splash(HZ * 2, "Counter parameter specified for TOTP!? Skipping...");
                        goto fail;
                    }
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].hotp_counter = rb->atoi(tok);
+                    accounts[next_slot].hotp_counter = rb->atoi(tok_val);
                }
                else if(!rb->strcmp(tok, "period"))
                {
@ -360,13 +362,11 @@ static void add_acct_file(void)
                        rb->splash(HZ * 2, "Period parameter specified for HOTP!? Skipping...");
                        goto fail;
                    }
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].totp_period = rb->atoi(tok);
+                    accounts[next_slot].totp_period = rb->atoi(tok_val);
                }
                else if(!rb->strcmp(tok, "digits"))
                {
-                    tok = rb->strtok_r(NULL, "&", &save);
-                    accounts[next_slot].digits = rb->atoi(tok);
+                    accounts[next_slot].digits = rb->atoi(tok_val);
                    if(accounts[next_slot].digits < 1 || accounts[next_slot].digits > 9)
                    {
                        rb->splashf(HZ * 2, "Digits parameter not in acceptable range, skipping.");