2 files changed, 5 insertions, 4 deletions

diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index 6e81d75..9c6c5ac 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -101,8 +101,9 @@ openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 
 if (isset($_GET['username'])) {
 	$authmodes = explode(",", $_GET['authcfg']);
-	$username = base64_decode(str_replace('%3D', '=', $_GET['username']));
-	$password = base64_decode(str_replace('%3D', '=', $_GET['password']));
+	/* Any string retrieved through $_GET is automatically urlDecoded */
+	$username = base64_decode($_GET['username']);
+	$password = base64_decode($_GET['password']);
 	$common_name = $_GET['cn'];
 	$modeid = $_GET['modeid'];
 	$strictusercn = $_GET['strictcn'] == "false" ? false : true;
diff --git a/src/usr/local/sbin/ovpn_auth_verify b/src/usr/local/sbin/ovpn_auth_verify
index e7b8c6c..e84aad2 100755
--- a/src/usr/local/sbin/ovpn_auth_verify
+++ b/src/usr/local/sbin/ovpn_auth_verify
@@ -5,8 +5,8 @@ if [ "$1" = "tls" ]; then
 else
 	# Single quoting $password breaks getting the value from the variable.
 	# Base64 and urlEncode usernames and passwords
-	password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g')
-	username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's/=/%3D/g')
+	password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
+	username=$(echo -n "${username}" | openssl enc -base64 | sed -e 's_=_%3D_g;s_+_%2B_g;s_/_%2F_g')
 	RESULT=$(/usr/local/sbin/fcgicli -f /etc/inc/openvpn.auth-user.php -d "username=$username&password=$password&cn=$common_name&strictcn=$3&authcfg=$2&modeid=$4")
 fi