escape params before calling the authy api

Signed-off-by: David A. Cuadrado <krawek@gmail.com>
twilio · May 24, 2012 · fb493f9 · fb493f9
1 parent 21bbb8e
commit fb493f9
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/lib/authy/api.rb b/lib/authy/api.rb
@@ -23,7 +23,8 @@ def self.register_user(attributes)
     def self.verify(attributes)
       token = attributes[:token] || attributes['token']
       user_id = attributes[:id] || attributes['id']
-      response = Typhoeus::Request.get("#{Authy.api_uri}/protected/json/verify/#{token}/#{user_id}", :params => {:api_key => Authy.api_key})
+
+      response = Typhoeus::Request.get("#{Authy.api_uri}/protected/json/verify/#{escape_for_url(token)}/#{escape_for_url(user_id)}", :params => {:api_key => Authy.api_key})
 
       Authy::Response.new(response)
     end
@@ -33,9 +34,14 @@ def self.verify(attributes)
     def self.request_sms(attributes)
       user_id = attributes[:id] || attributes['id']
 
-      response = Typhoeus::Request.get("#{Authy.api_uri}/protected/json/sms/#{user_id}", :params => {:api_key => Authy.api_key})
+      response = Typhoeus::Request.get("#{Authy.api_uri}/protected/json/sms/#{escape_for_url(user_id)}", :params => {:api_key => Authy.api_key})
 
       Authy::Response.new(response)
     end
+
+    private
+    def self.escape_for_url(field)
+      URI.escape(field.to_s.strip, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+    end
   end
 end
diff --git a/lib/authy/config.rb b/lib/authy/config.rb
@@ -11,7 +11,7 @@ def api_key
     def api_uri=(uri)
       @api_uri = uri
     end
-    alias :api_url= :api_key=
+    alias :api_url= :api_uri=
 
     def api_uri
       @api_uri || "https://api.authy.com"