joker-b / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

BUG: Python library not escaping Authorisation parameter values #116

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The Python oauth library code generates the Authorisation header like so:

    # serialize as a header for an HTTPAuth request
    def to_header(self, realm=''):
        auth_header = 'OAuth realm="%s"' % realm
        # add the oauth parameters
        if self.parameters:
            for k, v in self.parameters.iteritems(): 
                auth_header += ', %s="%s"' % (k, v)
        return {'Authorization': auth_header}

The problem with this is that the parameter values are not escaped. This is 
particularly a problem 
with the oauth_signature parameter as it can contain the character "+". When a 
naïve 
implementation decodes that parameter's value using "URL" parsing code it will 
translate the "+" 
into a " " (ASCII space), thus destroying the signature. While it might be 
argued that the 
implementation doing so is incorrect (it should only be translating %XX hex 
values) it does 
happen. I believe also that the OAuth spec indicates that the values should be 
escaped. Thus I 
believe it's appropriate to alter the code to always escape the value part:

    # serialize as a header for an HTTPAuth request
    def to_header(self, realm=''):
        auth_header = 'OAuth realm="%s"' % realm
        # add the oauth parameters
        if self.parameters:
            for k, v in self.parameters.iteritems(): 
                auth_header += ', %s="%s"' % (k, escape(str(v)))
        return {'Authorization': auth_header}

Original issue reported on code.google.com by r1chardj0n3s on 24 Aug 2009 at 7:25

GoogleCodeExporter commented 9 years ago
... and when I check the bloody SVN I notice it's fixed there. My apologies for 
the noise.

Original comment by r1chardj0n3s on 24 Aug 2009 at 7:29

GoogleCodeExporter commented 9 years ago
No problem!

Original comment by leah.culver on 17 Sep 2009 at 6:39