"OAuth signature does not match" error after upgrade to 0.4.2

[szaqal83]

After 2 days of checking I've found the problem, in short, version 0.4.x (0.4.2 for sure) added extra sanitize_text_field() in get_authorization_header() method of WP_REST_OAuth1 class (wp-content\plugins\rest-api-oauth1\lib\class-wp-rest-oauth1.php line 87) - version 0.3.0 didn't had it and it worked. This extra sanitization causes removal of padding equal sign (=) from oauth_signature string (base64 encoded) in auth header and this causes signature mismatch here (line 742):

if ( ! hash_equals( $signature, $consumer_signature ) )

at this point with extra sanitization vars look like:

$signature = "2jnndRHY0XmcoLAKQ57BTk3hFuY=" $consumer_signature = "UxNEGv4G7XLC8deayKGWTdUmt0"

without extra sanitization, changing line 87 mentioned above from return sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) ); to return wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );

they are:

$signature = "eo/0c0cV8mGq3srFuKowKTtuVBg=" $consumer_signature = "eo/0c0cV8mGq3srFuKowKTtuVBg="

and everything works fine.

[szaqal83]

This sanitization breaks even more, auth header before sanitization (only wp_unslash() used) looks like:

'OAuth oauth_consumer_key="xyz", oauth_nonce="xyzxyzxyzxyzxyz", oauth_signature_method="HMAC-SHA1", oauth_timestamp="12345", oauth_version="1.0", oauth_callback="http%3A%2F%2Ftest.loc%2Fpoligon%2Foauth%2Foauth.php", oauth_signature="Kbgqrqyvfh978LNPxWy4KogSEHY%3D"'

after sanitization applied:

'OAuth oauth_consumer_key="xyz", oauth_nonce="xyzxyzxyzxyzxyz", oauth_signature_method="HMAC-SHA1", oauth_timestamp="12345", oauth_version="1.0", oauth_callback="httptest.locpoligonoauthoauth.php", oauth_signature="Kbgqrqyvfh978LNPxWy4KogSEHY"'

beside "%3D" (=) stripped from oauth_signature it also breaks oauth_callback URL.

[fergusbisset]

Thanks so much for this @szaqal83 :-)

[scottfennell-toptal]

I see this issue was added to the 0.4.4 release. Any estimate when that release will occur?