Properly encode scope and prompt items in OAuth URL

erikjv · erikjv · commit fb638e0ff6cd · 2024-01-17T20:20:51.000+01:00
The scope and the prompt items of an OAuth query can be branded and can contain characters that are not valid without encoding them. This change makes sure that those get encoded properly. Fixes: #11472
diff --git a/src/libsync/creds/oauth.cpp b/src/libsync/creds/oauth.cpp
@@ -466,14 +466,12 @@ QUrl OAuth::authorisationLink() const
 
     const QByteArray code_challenge = QCryptographicHash::hash(_pkceCodeVerifier, QCryptographicHash::Sha256)
                                           .toBase64(QByteArray::Base64UrlEncoding | QByteArray::OmitTrailingEquals);
-    QUrlQuery query { { QStringLiteral("response_type"), QStringLiteral("code") },
-        { QStringLiteral("client_id"), _clientId },
-        { QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort())) },
-        { QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge) },
-        { QStringLiteral("code_challenge_method"), QStringLiteral("S256") },
-        { QStringLiteral("scope"), Theme::instance()->openIdConnectScopes() },
-        { QStringLiteral("prompt"), Theme::instance()->openIdConnectPrompt() },
-        { QStringLiteral("state"), QString::fromUtf8(_state) } };
+    QUrlQuery query{{QStringLiteral("response_type"), QStringLiteral("code")}, {QStringLiteral("client_id"), _clientId},
+        {QStringLiteral("redirect_uri"), QStringLiteral("%1:%2").arg(_redirectUrl, QString::number(_server.serverPort()))},
+        {QStringLiteral("code_challenge"), QString::fromLatin1(code_challenge)}, {QStringLiteral("code_challenge_method"), QStringLiteral("S256")},
+        {QStringLiteral("scope"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectScopes()))},
+        {QStringLiteral("prompt"), QString::fromUtf8(QUrl::toPercentEncoding(Theme::instance()->openIdConnectPrompt()))},
+        {QStringLiteral("state"), QString::fromUtf8(_state)}};
 
     if (!_davUser.isEmpty()) {
         const QString davUser = QString::fromUtf8(QUrl::toPercentEncoding(_davUser)); // Issue #7762;
