Created by: seanhandley
Autologin plugin fails if the user's email address (quite validly) contains a "+".
Using GMail labels of the form [email protected] I found a scenario where Arachni can't log into the app. On checking the server logs, I saw it was submitting email addresses of the form
my.user [email protected]
resulting in the server to return 422 Unprocessable Entity
This is down to the way the form parameters are sanitised in https://github.com/Arachni/arachni/blob/master/lib/arachni/element/form.rb#L423
e.g.
URI.decode_www_form_component "[email protected]"
=> "sean.handley [email protected]"
URI.decode_www_form_component "user[email][email protected]"
=> "user[email]=sean.handley [email protected]"
URI.decode "user[email][email protected]"
=> "user[email][email protected]"
URI.decode_www_form_component "user%5Bemail%5D=sean.handley%2Barachni%40datacentred.co.uk"
=> "user[email][email protected]"
URI.decode "user%5Bemail%5D=sean.handley%2Barachni%40datacentred.co.uk"
=> "user[email][email protected]"An alternative approach is to instruct the user in the plugin documentation to enter the string in an encoded form at https://github.com/arachni/arachni/blob/master/components/plugins/autologin.rb#L110