preumich / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Python: Oauth request Authorization header contains non-oauth prefixed params #31

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
From 5.4.1 (http://oauth.net/core/1.0/#auth_header)

The authorization header contains oauth protocol parameters. These are ones 
that start with 
"oauth_", but in the python libs, the oauth header ends up containing even 
query string params.

What steps will reproduce the problem?
1. Use client.py (official oauth example python code) to make a GET request 
with one query 
string param in the url
2. Set http headers to oauth_request.to_header() for          
self.connection.request(oauth_request.http_method, oauth_request.http_url, 
headers=oauth_request.to_header())
3. Run GET request, the authorization header has "sort=date" as well

What is the expected output? What do you see instead?
While verification does not fail, it can mess up frameworks (like grails) that 
auto-populate the 
query string/post vars. Even in PHP for example, you would no longer be able to 
use the $_GET 
or $_POST superglobals to access those extra params

What version of the product are you using? On what operating system?
OS X, Python 2.5, Oauth python lib, custom groovy/grails-based provider using 
Java libs

Patch provided. (One-liner!)

Original issue reported on code.google.com by ashish.t...@gmail.com on 10 Jul 2008 at 3:36

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by andyster on 15 Jul 2008 at 11:17

GoogleCodeExporter commented 9 years ago
I ran into the same issue.

Original comment by naitiks@gmail.com on 5 Sep 2008 at 8:35

GoogleCodeExporter commented 9 years ago
I too ran into the same issue.. so had to find a way around... I had to use

del oauth_request.parameters[param] # url query param to be removed

before calling oauth_request.to_header()

Original comment by kunalmsh...@gmail.com on 30 Oct 2008 at 8:01

GoogleCodeExporter commented 9 years ago
I submitted a patch almost 4 months ago -- any status on whether this minute 
bug will be fixed or anything like 
that? Looks like others have faced the same issue and might be wasting time 
figuring out what the cause of this 
bug is.

Original comment by ashish.t...@gmail.com on 30 Oct 2008 at 8:17

GoogleCodeExporter commented 9 years ago
I ran into the same issue, and ended up coding almost the same patch (although a
little bit uglier, like the php version). Any change of being fixed?

Original comment by bzanc...@gmail.com on 4 Nov 2008 at 2:12

Attachments:

GoogleCodeExporter commented 9 years ago
additionally, in order to use yahoo's yql webservice, I also had to modify the
"to_url()" method. I'm not sure if this change breaks anything else..

Cumulative patch attached.

Original comment by bzanc...@gmail.com on 1 Dec 2008 at 4:18

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by leah.culver on 9 Jan 2009 at 12:30

GoogleCodeExporter commented 9 years ago
Thanks! This has been fixed. I'm not sure if the auth header should contain any
non-oauth params, so I hope nobody is expecting it to.

I'm not going to change the to_url() method. If this is a big problem, please 
file a
new ticket... this should probably be only oauth params - not the other way 
around.

Thanks all.

Original comment by leah.culver on 14 Jan 2009 at 8:33