Closed sualko closed 2 years ago
It seams BigBlueButton is reencoding the url while removing the checksum from the query string, see https://github.com/bigbluebutton/bigbluebutton/blob/8cf5b64a0feeb6da04c6a3eb0dc03cc93c4022dd/bbb-common-web/src/main/java/org/bigbluebutton/api/model/shared/GetChecksum.java#L36. Therefore they are using the RFC1738 encoding to calculate the checksum. The only mystery is why this is not failing on every server.
Sorry that you get so many mails from me :-)
It seams it's a bit of a false alarm. The change was introduced with the upcoming 2.4 line and therefore the user is probably a beta tester :see_no_evil:.
Just for the recording, BBB 2.3 is using a more stable verification step: https://github.com/bigbluebutton/bigbluebutton/blob/c8577dd76d21197374bef2490eceb027e9327e2e/bbb-common-web/src/main/java/org/bigbluebutton/api/ParamsProcessorUtil.java#L801
I leave this issue open, because it's something we have to look into if 2.4 gets released.
As you can see, BBB has fixed the issue, but the user is reporting that he is still using BBB 2.2. So what do you thing? Do we have to revert back to RFC1738? Can someone reproduce this?
I haven't experienced any problems with the new encoding. Could the user provide us with the data he used to call the api. What api call (create, join, etc.)? What are the parameters? Could the user write a test that fails?
Here is the url which results in a checksum error. I only changed the domain names.
The user also created a test script:
use BigBlueButton\Parameters\CreateMeetingParameters;
$createMeetingParams = new CreateMeetingParameters("123", "Raum1");
$createMeetingParams->setAttendeePW("pw1");
$createMeetingParams->setModeratorPW("pw2");
$createMeetingParams->setModeratorOnlyMessage("Das ist eine Meldung");
$url = $bbb->getCreateMeetingUrl($createMeetingParams);
echo "URL: <a href='$url'>$url</a>";
The resulting url will produce a checksum error with the current version of this library. If he changes http_build_query
to use RFC1738 everything works fine. The user is reporting that there are no related errors on the bbb server.
Hm, interesting. According to the change to fix https://github.com/bigbluebutton/bigbluebutton/issues/12919 the old method which was restored there to receive the query string without the checksum looked very straight and not depended on the method used to encode the parameters.
What I would do here:
I currently do not have access to an instance still running BBB 2.2
I have access to a 2.2 version and I can't reproduce it either. So I guess we leave this open until we get more information.
@sualko As is issue is one year old, should we close it as stale?
I have a user which is reporting checksum errors if he is using spaces. It seams his installation does not like RFC3986 encoding introduced in https://github.com/littleredbutton/bigbluebutton-api-php/commit/8fbdc1dff2c9d6454932e2891792e6da0de9d260. If he changes it back to RFC1738, everything works fine. Can someone reproduce this, or explain it?