Incorrect signing for HTTPS, or routes protected by basic auth

[kevinburke]

Kevin from Twilio here.

Thanks for writing this library. Due to some long-standing bugs in the way Twilio computes request signatures, it won't do the right thing if the URL being requested is HTTPS, or loaded at a port other than 80. Unfortunately, we can't fix them in this version of the API because it may cause existing apps to break.

Here are the details from our security page:

For voice calls over HTTP, Twilio will drop the username and password (if any) from the URL before computing the signature. For voice calls over HTTPS, Twilio will drop the username, password and port (if any) before computing the signature. This behavior will continue to be supported in the 2008-08-01 and 2010-04-01 versions of the API to ensure compatibility with existing code. We understand this behavior is inconsistent, and apologize for the inconvenience.

[bemurphy]

@kevinburke thanks for the pointer. I'll write some specs and do some additional testing around that when I get a chance.

[andrewmbenton]

I think this might need to be reopened. The implementation you have will work for voice request validation, but unfortunately SMS request validation does leave the basic auth credentials and the port in, even over HTTPS. Kevin may need to correct me if I'm wrong on this though.

In the case that I am right, you may need to check for a :Body parameter in the request inside of your formatted_url method, and then change behavior based on that. The :Body parameter will only exist in an SMS request, so off the top of my head it seems like a good way to distinguish between voice and SMS. But there may be a more clever way that I haven't thought of.

[bemurphy]

Thanks for the prodding @andrewmbenton , I suspect you are right. I'm going to reopen and do some more testing later this week, or perhaps this weekend depending on timing.

My plan of attack is to get a token I can throw away and run some real transactions with a test app, then setup fixture data off that for some tests. Probably should have just started with that rather than going straight to the crypto ;)

[bemurphy]

@andrewmbenton I've been gathering data tonight against an app that logs the signature, request, and environment info for this. It looks like given a smsCallback with basic auth specified in the url for ssl, it still strips the port and auth info before sending the url into #validate.

I've got a private gist (since it's got an auth token in it) I'll send you that has a spec and fixture data running through Twilio::Util::RequestValidator that seems to confirm this.