From 2583830d46d7d75f915d9bfcfb89252daa96ec68 Mon Sep 17 00:00:00 2001
From: Ganesh Iyer <ganesh.iyer@mgh.harvard.edu>
Date: Thu, 26 Jul 2018 15:45:12 -0400
Subject: [PATCH] added urllib.unquote to escape urlencoded strings in cookies

---
 nginx-ldap-auth-daemon.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index da6f4a7..d7bfa62 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -18,6 +18,7 @@ from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
 # Requests are processed in separate thread
 import threading
 from SocketServer import ThreadingMixIn
+import urllib
 class AuthHTTPServer(ThreadingMixIn, HTTPServer):
     pass
 # -----------------------------------------------------------------------------
@@ -51,7 +52,7 @@ class AuthHandler(BaseHTTPRequestHandler):
         ctx['action'] = 'performing authorization'
         auth_header = self.headers.get('Authorization')
         auth_cookie = self.get_cookie(ctx['cookiename'])
-
+        auth_cookie = urllib.unquote(auth_cookie)    
         if auth_cookie != None and auth_cookie != '':
             auth_header = "Basic " + auth_cookie
             self.log_message("using username/password from cookie %s" %
@@ -71,9 +72,8 @@ class AuthHandler(BaseHTTPRequestHandler):
         ctx['action'] = 'decoding credentials'
 
         try:
-            auth_decoded = base64.b64decode(auth_header[6:])
+            auth_decoded = urllib.unquote(base64.b64decode(auth_header[6:]))
             user, passwd = auth_decoded.split(':', 1)
-
         except:
             self.auth_failed(ctx)
             return True
@@ -164,8 +164,7 @@ class LDAPAuthHandler(AuthHandler):
         return self.params
 
     # GET handler for the authentication request
-    def do_GET(self):
-
+    def do_GET(self):        
         ctx = dict()
         self.ctx = ctx
 
@@ -213,8 +212,7 @@ class LDAPAuthHandler(AuthHandler):
             # ldap_obj.set_option(ldap.OPT_REFERRALS, 0)
 
             ctx['action'] = 'binding as search user'
-            ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)
-
+            ldap_obj.bind_s(ctx['binddn'], ctx['bindpasswd'], ldap.AUTH_SIMPLE)            
             ctx['action'] = 'preparing search filter'
             searchfilter = ctx['template'] % { 'username': ctx['user'] }