From cf3ffebfde3eb6d76aa898a0b55249d5c3bf649e Mon Sep 17 00:00:00 2001 From: Hui Hui <0w0@loli.pet> Date: Tue, 28 May 2019 01:00:32 +0800 Subject: [PATCH] fix issuer of OTP URI should be URI-encoded. (#6634) * fix: Issuer of OTP URI should be URI-encoded. follow this link https://github.com/google/google-authenticator/wiki/Key-Uri-Format . * filter unsafe character ':' in issuer * Use Replace rather than ReplaceAll --- routers/user/setting/security_twofa.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/routers/user/setting/security_twofa.go b/routers/user/setting/security_twofa.go index 3a590f0b08..fca1151a04 100644 --- a/routers/user/setting/security_twofa.go +++ b/routers/user/setting/security_twofa.go @@ -74,11 +74,13 @@ func twofaGenerateSecretAndQr(ctx *context.Context) bool { if uri != nil { otpKey, err = otp.NewKeyFromURL(uri.(string)) } + // Filter unsafe character ':' in issuer + issuer := strings.Replace(setting.AppName+" ("+setting.Domain+")", ":", "", -1) if otpKey == nil { err = nil // clear the error, in case the URL was invalid otpKey, err = totp.Generate(totp.GenerateOpts{ SecretSize: 40, - Issuer: setting.AppName + " (" + strings.TrimRight(setting.AppURL, "/") + ")", + Issuer: issuer, AccountName: ctx.User.Name, }) if err != nil {