Encode the auth server list before passing it on the CLI, to avoid issues with special characters that break when interpreted as URL parameters during OpenVPN auth. Fixes #7002

2 files changed, 2 insertions, 2 deletions

diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index a3a3e37..a66ce6c 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -129,7 +129,7 @@ function getCalledStationId() {
 openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 
 if (isset($_GET['username'])) {
-	$authmodes = explode(",", $_GET['authcfg']);
+	$authmodes = explode(",", base64_decode($_GET['authcfg']));
 	/* Any string retrieved through $_GET is automatically urlDecoded */
 	$username = base64_decode($_GET['username']);
 	$password = base64_decode($_GET['password']);
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 5ab3655..5fc7172 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -853,7 +853,7 @@ function openvpn_reconfigure($mode, $settings) {
 					if ($settings['strictusercn']) {
 						$strictusercn = "true";
 					}
-					$conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id} {$settings['local_port']}\" via-env\n";
+					$conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user " . base64_encode($settings['authmode']) . " {$strictusercn} {$mode_id} {$settings['local_port']}\" via-env\n";
 				}
 				break;
 		}