ronanq / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

In C# OAuthBase.cs, UrlEncoded Paremeters (such as a search string containing a space) are improperly double-encoded when generating the signatureBase #138

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

In C# (haven't tested the other versions) Send an OAUTH request including a
url encoded query parameter (such as a search string with it's spaces
converted to "%20"s). The C# code currently double-url-encodes any already
url-encoded query string parameters, resulting in an invalid signature base
(ex: the %20 improperly becomes %2520).

What is the expected output? What do you see instead?

The signature is invalid because of the double-encoded reserved characters.

Please use labels and text to provide additional information.

I've uploaded a new version of OAuthBase.cs with a patch in place. Simply
UrlDecode the normalizedRequestParameters before re-encoding them. This
ensures there is no double-enoding.

The change is on OAuthBase.cs line 274.

- Bryan

Original issue reported on code.google.com by bryan.c...@gmail.com on 17 Dec 2009 at 8:08

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by morten.f...@gmail.com on 5 Jan 2010 at 11:36

GoogleCodeExporter commented 9 years ago
I have used above file (OAuthBase.cs) but when i am trying to send request it 
through an exception "The remote server returned an error: (401) 
Unauthorized.". 

Original comment by aashutos...@gmail.com on 28 Jul 2010 at 11:24

GoogleCodeExporter commented 9 years ago
I'm having the same problem, but then with the ','  (%2C). Even with the 
patched version, i'm getting 401 with "signature token is invalid".

Anybody know what's causing this?

Original comment by R.Schaafsma@gmail.com on 26 Nov 2010 at 12:11

GoogleCodeExporter commented 9 years ago
Note that the OAuth protocol RFC 5849 in Section 3.4.1.3.2 Step 1) indicates 
that when parameters are normalized, the parameter name and value must both be 
Url encoded before they are joined by "=" and concatenated with other 
parameters. The current version of OAuthBase.cs (on the google code server) 
does not do that. Thus, line 199 (in NormalizeRequestParameters method) must 
change from:

sb.AppendFormat("{0}={1}", p.Name, p.Value);

to

sb.AppendFormat("{0}={1}", UrlEncode(p.Name), UrlEncode(p.Value));

Original comment by taw...@gmail.com on 10 Dec 2010 at 10:30

GoogleCodeExporter commented 9 years ago
Agree with taw. To get this to work, I had to add UrlEncode() to the original 
parameters.

Original comment by tom.e.os...@gmail.com on 6 Apr 2011 at 6:11

GoogleCodeExporter commented 9 years ago
Thank you very much it helps :)

Original comment by winston....@gmail.com on 20 Mar 2014 at 4:31