dreamnear / oauth-php

Automatically exported from code.google.com/p/oauth-php
MIT License
0 stars 0 forks source link

Improper handling of xoauth_* query parameters #124

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Add params to an OAuth request with xoauth_ as a prefix
2. Observe they incorrectly get added to the Authorization header and removed 
from query params in violation of spec

What is the expected output? 

Authorization: OAuth realm="", oauth_signature_method="HMAC-SHA1", 
oauth_signature="eE3to2CjqfLS7YREYgaPdVwoT1s%3D", oauth_nonce="4f877a4704166", 
oauth_timestamp="1334278727", oauth_token="", oauth_consumer_key="REDACTED", 
oauth_version="1.0"
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

What do you see instead?

Authorization: OAuth realm="", xoauth_oauth2_access_token="REDACTED", 
oauth_signature_method="HMAC-SHA1", 
oauth_signature="djqNq8cPkKXrqh5BXXff5fnDV9M%3D", oauth_nonce="4f877864cb6a6", 
oauth_timestamp="1334278244", oauth_token="", oauth_consumer_key="REDACTED", 
oauth_version="1.0"
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

What version of the product are you using? On what operating system?

oauth-php-175 (operating system is irrelevant)

Please provide any additional information below.

--- ../../library/OAuthRequestSigner.php    2012-04-12 18:19:34.000000000 -0700
+++ ../../library/OAuthRequestSigner-unbroken.php   2012-04-12 18:19:13.000000000 
-0700
@@ -152,7 +152,7 @@

    /**
     * Builds the Authorization header for the request.
-    * Adds all oauth_ and xoauth_ parameters to the Authorization header.
+    * Adds all oauth_ parameters to the Authorization header.
     * 
     * @return string
     */
@@ -166,7 +166,7 @@
        $h[] = 'Authorization: OAuth realm=""';
        foreach ($this->param as $name => $value)
        {
-           if (strncmp($name, 'oauth_', 6) == 0 || strncmp($name, 'xoauth_', 7) == 0)
+           if (strncmp($name, 'oauth_', 6) == 0)
            {
                $h[] = $name.'="'.$value.'"';
            }
@@ -189,7 +189,7 @@
        foreach ($this->param as $name => $value)
        {
            if (    !$oauth_as_header 
-               ||  (strncmp($name, 'oauth_', 6) != 0 && strncmp($name, 'xoauth_', 7) != 0))
+               ||  (strncmp($name, 'oauth_', 6) != 0)
            {
                if (is_array($value))
                {

Without the above change, the library is in clear violation of the OAuth 1.0a 
spec. Some background reading is available here:

http://hueniverse.com/2009/03/clarifying-oauth-requirements-for-service-provider
s/
http://groups.google.com/group/oauth/browse_thread/thread/662fc80c07d25bd5/b88e2
e035e1cfe6f?pli=1

Original issue reported on code.google.com by jsjoh...@gmail.com on 13 Apr 2012 at 1:28