search

sireno / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

php: overescaping in plaintext signature #17

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
OAuthSignatureMethod_PLAINTEXT::build_signature() returns 
already urlencoded value. This breaks OAuthServer::check_signature()
as it compares urlDecoded value from request with urlEncoded value
generated with build_signature. 

build_signature should not escape returned value, as it will be escaped 
later in OAuthRequest::to_postdata(). See [1] for example of once-encoded
ampersand in plaintext signature.

[1]: http://oauth.net/core/1.0/#anchor27

Original issue reported on code.google.com by atregoub...@gmail.com on 26 Mar 2008 at 8:52

Attachments:

GoogleCodeExporter commented 8 years ago 
this may have been fixed before, but it certainly appears to work now

From the library:

            [oauth_signature_method] => PLAINTEXT
            [oauth_signature] => djr9rjt0jd78jf88%26jjd99%2524tj88uiths3

From the spec:

 These examples show the value of oauth_signature  for Consumer Secret
djr9rjt0jd78jf88 and 3 different Token Secrets:

    jjd999tj88uiths3:
        oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3 
    jjd99$tj88uiths3:
        oauth_signature=djr9rjt0jd78jf88%26jjd99%2524tj88uiths3 

djr9rjt0jd78jf88%26jjd99%2524tj88uiths3
==
djr9rjt0jd78jf88%26jjd99%2524tj88uiths3

Original comment by andyster on 15 Jul 2008 at 10:13