search

madscientistone / socialauth-net

Automatically exported from code.google.com/p/socialauth-net
0 stars 0 forks source link

Encoding / decoding #171

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
I found 3 issues relating to encoding / decoding outh parameters:

1) SocialAuthUser.LoginCallback
pars = Utility.GetQuerystringParameters(response.Url.ToString());
should be replaced with
pars = Utility.GetQuerystringParameters(response.Url.OriginalString);
otherwise you ran the the risk to perform an "early" decoding of some qs 
parameters.
Let say you have an out_verifier containing a plus sign. Provider properly 
encoded the plus sign, but response.Url.ToString() removes that encoding and 
than 
NameValueCollection parameters = HttpUtility.ParseQueryString(queryString) 
removes the plus sign "early decoded" with a white space.

2)OAuthHelper.GenerateSignature
foreach (var param in oauthParameters)
each parameter should be encoded following rfc3986, not just the one that 
contains http:// or https://
I found the issue for out_token parameter: my provider builds token using 
randon base64 strign that may contain char that require escape such  "/" or "="
Escaping the whole string w/o escaping any single parameter value leads to lack 
of escaping

3)OAuthHelper.GenerateSignature
 case SIGNATURE_TYPE.HMACSHA1
hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&{1}", 
UrlEncode(consumerSecret), tokenSecret))
tokenSecret has to be escaped following rfc3986 as well: it may contain char 
that requires escaping such such "/" or "="

Let me know if you need more details

Original issue reported on code.google.com by cristian...@gmail.com on 26 Mar 2013 at 7:55

GoogleCodeExporter commented 9 years ago 
I found an other place with a missing encoding:
4)OAuth1_0a.DirectUserToServiceProvider
oauthParameters.Add(new QueryParameter("oauth_token", 
connectionToken.RequestToken))
connectionToken.RequestToken requires Rfc3986 escaping

Original comment by cristian...@gmail.com on 26 Mar 2013 at 10:30

GoogleCodeExporter commented 9 years ago 
5) OAuthHelper
GetAuthorizationHeader(QueryParameters oauthParameters) and
string GetAuthorizationUrlParameters(QueryParameters oauthParameters)
should escape any parameter values not only oauth_signature

Original comment by cristian...@gmail.com on 28 Mar 2013 at 8:14