search

bytespider / jsOAuth

JavaScript implimentation of the OAuth protocol. Currently supports version 1.0 (RFC5849) of the specification. Node.js & CommonJS compatible.
http://bytespider.github.com/jsOAuth/
MIT License
556 stars 108 forks source link

QueryString.setQueryParams doesn't decode query values #36

Closed scyclops closed 12 years ago

scyclops commented 12 years ago

On line 139 of URI.js. This causes query parameters that are already encoded to be encoded again when later constructing the base signature string and so results in signature hash mismatches.

bytespider commented 12 years ago

It probably would be wise to decode any query param that is added to a query string, however I cant guarantee that the intention wasn't to have it double encoded for some reason

bytespider commented 12 years ago

Do you want to try this version? I've added decoding of params given to QueryString

scyclops commented 12 years ago

The patch that worked best for me was to just change 

querystring[key_value[0]] = key_value[1];

to:

querystring[decode(key_value[0])] = decode(key_value[1]);

Decoding the key is important because it could be encoded as well.

I'm not sure that adding decoding to the other cases in that function makes as much sense though (it really depends on how the callers are using it). For my own use, when I call getJSON with a URL, it will always have the GET parameters (if any) encoded into the URL and so I expect setQueryParams or some code in the stack between getJSON and the call to toSignatureBaseString to decode the GET parameters before they are used by toSignatureBaseString.