From mboxrd@z Thu Jan  1 00:00:00 1970
From: thevlad at gmail.com (thevlad at gmail.com)
Date: Thu, 12 Apr 2018 20:54:31 +0300
Subject: [PATCH] Encode value and field before calculating cookie digest,
 the same way secure_value() does
Message-ID: <20180412175431.33587-1-thevlad@gmail.com>

From: Vlad Safronov <thevlad at gmail.com>

Bugfix: Encode value and field before calculating cookie digest, the same way as secure_value() does
so validating will work correctly on encoded values.
---
 filters/simple-authentication.lua | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua
index de34d09..b40a819 100644
--- a/filters/simple-authentication.lua
+++ b/filters/simple-authentication.lua
@@ -230,6 +230,8 @@ function validate_value(expected_field, cookie)
 		return nil
 	end
 
+	value = url_encode(value)
+	field = url_encode(field)
 	-- Lua hashes strings, so these comparisons are time invariant.
 	if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
 		return nil
-- 
2.17.0