Closed szaqal83 closed 5 months ago
This sanitization breaks even more, auth header before sanitization (only wp_unslash()
used) looks like:
'OAuth oauth_consumer_key="xyz", oauth_nonce="xyzxyzxyzxyzxyz", oauth_signature_method="HMAC-SHA1", oauth_timestamp="12345", oauth_version="1.0", oauth_callback="http%3A%2F%2Ftest.loc%2Fpoligon%2Foauth%2Foauth.php", oauth_signature="Kbgqrqyvfh978LNPxWy4KogSEHY%3D"'
after sanitization applied:
'OAuth oauth_consumer_key="xyz", oauth_nonce="xyzxyzxyzxyzxyz", oauth_signature_method="HMAC-SHA1", oauth_timestamp="12345", oauth_version="1.0", oauth_callback="httptest.locpoligonoauthoauth.php", oauth_signature="Kbgqrqyvfh978LNPxWy4KogSEHY"'
beside "%3D" (=) stripped from oauth_signature it also breaks oauth_callback URL.
Thanks so much for this @szaqal83 :-)
I see this issue was added to the 0.4.4 release. Any estimate when that release will occur?
After 2 days of checking I've found the problem, in short, version 0.4.x (0.4.2 for sure) added extra
sanitize_text_field()
inget_authorization_header()
method ofWP_REST_OAuth1
class (wp-content\plugins\rest-api-oauth1\lib\class-wp-rest-oauth1.php line 87) - version 0.3.0 didn't had it and it worked. This extra sanitization causes removal of padding equal sign (=) from oauth_signature string (base64 encoded) in auth header and this causes signature mismatch here (line 742):if ( ! hash_equals( $signature, $consumer_signature ) )
at this point with extra sanitization vars look like:
$signature = "2jnndRHY0XmcoLAKQ57BTk3hFuY="
$consumer_signature = "UxNEGv4G7XLC8deayKGWTdUmt0"
without extra sanitization, changing line 87 mentioned above from
return sanitize_text_field( wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] ) );
toreturn wp_unslash( $_SERVER['HTTP_AUTHORIZATION'] );
they are:
$signature = "eo/0c0cV8mGq3srFuKowKTtuVBg="
$consumer_signature = "eo/0c0cV8mGq3srFuKowKTtuVBg="
and everything works fine.