From 698ae45a780bcc83d8dadc18aadfb049ec7c127c Mon Sep 17 00:00:00 2001
From: Tad Fisher <tad@simple.com>
Date: Sun, 19 Mar 2017 20:58:45 -0700
Subject: Fix HOTP URI parsing

---
 otp.bash | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

(limited to 'otp.bash')

diff --git a/otp.bash b/otp.bash
index 539fc7e..b95e981 100755
--- a/otp.bash
+++ b/otp.bash
@@ -38,7 +38,7 @@ otp_parse_uri() {
   uri="${uri//\`/%60}"
   uri="${uri//\"/%22}"
 
-  local pattern='^otpauth:\/\/(totp|hotp)(\/(([^:?]+)?(:([^:?]*))?))?(\?([^#&?]+))(&([^#&?]+))*$'
+  local pattern='^otpauth:\/\/(totp|hotp)(\/(([^:?]+)?(:([^:?]*))?))?\?(.+)$'
   [[ "$uri" =~ $pattern ]] || die "Cannot parse OTP key URI: $uri"
 
   otp_uri=${BASH_REMATCH[0]}
@@ -48,24 +48,28 @@ otp_parse_uri() {
   otp_accountname=${BASH_REMATCH[6]}
   [[ -z $otp_accountname ]] && otp_accountname=${BASH_REMATCH[4]} || otp_issuer=${BASH_REMATCH[4]}
 
-  local parameters=(${BASH_REMATCH[@]:7})
-  pattern='^([^?&=]+)(=(.+))$'
-  for param in "${parameters[@]}"; do
+  local p=${BASH_REMATCH[7]}
+  local IFS=\&; local params=(${p[@]}); unset IFS
+
+  pattern='^(.+)=(.+)$'
+  for param in "${params[@]}"; do
     if [[ "$param" =~ $pattern ]]; then
       case ${BASH_REMATCH[1]} in
-        secret) otp_secret=${BASH_REMATCH[3]} ;;
-        digits) otp_digits=${BASH_REMATCH[3]} ;;
-        algorithm) otp_algorithm=${BASH_REMATCH[3]} ;;
-        period) otp_period=${BASH_REMATCH[3]} ;;
-        counter) otp_counter=${BASH_REMATCH[3]} ;;
-        issuer) otp_issuer=${BASH_REMATCH[3]} ;;
+        secret) otp_secret=${BASH_REMATCH[2]} ;;
+        digits) otp_digits=${BASH_REMATCH[2]} ;;
+        algorithm) otp_algorithm=${BASH_REMATCH[2]} ;;
+        period) otp_period=${BASH_REMATCH[2]} ;;
+        counter) otp_counter=${BASH_REMATCH[2]} ;;
+        issuer) otp_issuer=${BASH_REMATCH[2]} ;;
         *) ;;
       esac
     fi
   done
 
   [[ -z "$otp_secret" ]] && die "Invalid key URI (missing secret): $otp_uri"
-  [[ "$otp_type" == 'hotp' && -z "$otp_counter" ]] && die "Invalid key URI (missing counter): $otp_uri"
+
+  pattern='^[0-9]+$'
+  [[ "$otp_type" == 'hotp' ]] && [[ ! "$otp_counter" =~ $pattern ]] && die "Invalid key URI (missing counter): $otp_uri"
 }
 
 otp_build_uri() {
-- 
cgit v1.2.3