search

papiayeee / oauth-signpost

Automatically exported from code.google.com/p/oauth-signpost
0 stars 0 forks source link

consumer key with special characters causes signpost to generate incorrect signature #68

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
In which environment did the problem appear?
Android 2.2.1

What steps will reproduce the problem?
1. have a consumer key that has a special character in it (e.g., %)
2. try to access a protected resource using signpost
3. get an incorrect signature response

What is the expected output? What do you see instead?
1. have a consumer key that has a special character in it (e.g., %)
2. try to access a protected resource using signpost
3. profit

Please post code (fully executable, no pseudo code) that reproduces the
issue.
I isolated the issue by comparing signpost headers with the tool at 
"http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests
/" and noticed that the signature base string was different when generated by 
signpost and the above tool.  

Please provide any additional information below.
The problem appears to be in oauth.signpost.http.HttpParameters in the 
following method:
   public String getAsQueryString(Object key) {
        StringBuilder sb = new StringBuilder();
        key = OAuth.percentEncode((String) key);
        Set<String> values = wrappedMap.get(key);
        if (values == null) {
            return key + "=";
        }
        Iterator<String> iter = values.iterator();
        while (iter.hasNext()) {
            sb.append(key + "=" + iter.next());
            if (iter.hasNext()) {
                sb.append("&");
            }
        }
        return sb.toString();
    }

Note that the values are not being Oauth.percentEncoded.

The correct code is:
   public String getAsQueryString(Object key) {
        StringBuilder sb = new StringBuilder();
        key = OAuth.percentEncode((String) key);
        Set<String> values = wrappedMap.get(key);
        if (values == null) {
            return key + "=";
        }
        Iterator<String> iter = values.iterator();
        while (iter.hasNext()) {
            sb.append(key + "=" + OAuth.percentEncode((String)iter.next()));
            if (iter.hasNext()) {
                sb.append("&");
            }
        }
        return sb.toString();
    }

Original issue reported on code.google.com by ldcc.ac2...@gmail.com on 27 Apr 2011 at 9:25

GoogleCodeExporter commented 8 years ago 
The issue is real but my proposed fix is wrong.

Original comment by ldcc.ac2...@gmail.com on 27 Apr 2011 at 9:52

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
Please delete this issue - there was a space appended to the end of my consumer 
key that got encoded, making me think it was part of the key.  Thanks for 
signpost.

Original comment by ldcc.ac2...@gmail.com on 28 Apr 2011 at 1:25

GoogleCodeExporter commented 8 years ago

Original comment by m.kaepp...@gmail.com on 28 Apr 2011 at 1:50