diff --git a/src/Prowlarr.Http/Authentication/AuthenticationBuilderExtensions.cs b/src/Prowlarr.Http/Authentication/AuthenticationBuilderExtensions.cs index 2eb307f0a..318f22929 100644 --- a/src/Prowlarr.Http/Authentication/AuthenticationBuilderExtensions.cs +++ b/src/Prowlarr.Http/Authentication/AuthenticationBuilderExtensions.cs @@ -1,5 +1,6 @@ using System; -using System.Web; +using System.Text.RegularExpressions; +using Diacritical; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.Extensions.DependencyInjection; @@ -10,6 +11,8 @@ namespace Prowlarr.Http.Authentication { public static class AuthenticationBuilderExtensions { + private static readonly Regex CookieNameRegex = new Regex(@"[^a-z0-9]+", RegexOptions.Compiled | RegexOptions.IgnoreCase); + public static AuthenticationBuilder AddApiKey(this AuthenticationBuilder authenticationBuilder, string name, Action options) { return authenticationBuilder.AddScheme(name, options); @@ -35,8 +38,10 @@ namespace Prowlarr.Http.Authentication services.AddOptions(AuthenticationType.Forms.ToString()) .Configure((options, configFileProvider) => { - // Url Encode the cookie name to account for spaces or other invalid characters in the configured instance name - var instanceName = HttpUtility.UrlEncode(configFileProvider.InstanceName); + // Replace diacritics and replace non-word characters to ensure cookie name doesn't contain any valid URL characters not allowed in cookie names + var instanceName = configFileProvider.InstanceName; + instanceName = instanceName.RemoveDiacritics(); + instanceName = CookieNameRegex.Replace(instanceName, string.Empty); options.Cookie.Name = $"{instanceName}Auth"; options.AccessDeniedPath = "/login?loginFailed=true";