[python] OAuthSignatureMethod_HMAC_SHA1 does not comply with Specification

[GoogleCodeExporter]

In oauth.py:OAuthSignatureMethod_HMAC_SHA1, the signure is not being
verified as per the OAuth Core 1.0[a] specification. The specification states:

 The Service Provider verifies the request by generating a new request
signature octet string, and comparing it to the signature provided by the
Consumer, first URL-decoded per Parameter Encoding (Parameter Encoding),
then base64-decoded per [RFC2045] section 6.8. The signature is generated
using the request parameters as provided by the Consumer, and the Consumer
Secret and Token Secret as stored by the Service Provider.

However, the code is only comparing the base64 encoded strings. The
attached patch resolves this issue, by overriding the check_signature method.

Original issue reported on code.google.com by dobey.p...@gmail.com on 24 Sep 2009 at 3:34

[GoogleCodeExporter]

Original comment by dobey.p...@gmail.com on 24 Sep 2009 at 3:35

Attachments:

• oauth-hmac-fix.patch

[GoogleCodeExporter]

Original comment by leah.culver on 25 Sep 2009 at 5:38

• Added labels: Lib-Python, Priority-Medium, Type-Defect