skdevelopers / oauth-php

Example's can be found at SK Developers
http://www.skdevelopers.info/oauth
MIT License
1 stars 0 forks source link

Wrong $method detection #69

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
there is such lines at OAuthRequest:

                if (isset($_SERVER['SCRIPT_URI'])) {
                    $method = $_SERVER['SCRIPT_URI'] . $_SERVER['QUERY_STRING'];
                }

At my $_SERVER superglobal i have this data:

  ["SCRIPT_URI"]=>
  string(54) "http://dev01.odesk.com/api/auth/v1/oauth/token/request"

So - at this step oauth-php detects $method in wrong way, does it?

Original issue reported on code.google.com by zerkmss on 7 Oct 2010 at 11:15

GoogleCodeExporter commented 9 years ago
Hi, I don't understand what the bug is. Is the SCRIPT_URI value wrong in your 
case? Please answer:

What were you expecting?

What really happened?

Original comment by brunobg%...@gtempaccount.com on 7 Oct 2010 at 3:21

GoogleCodeExporter commented 9 years ago
I expect $method == 'post', because i'm sending POST request

Original comment by zerkmss on 7 Oct 2010 at 9:56

GoogleCodeExporter commented 9 years ago
Hi,
I struggled with and found the same bug. 

The bug is that the order of detection in lines 89-97 is wrong. You will always 
have a $_SERVER['REQUEST_URI'] hence (at least on an Apache server) detecting 
the method from $_SERVER['SCRIPT_URI'] first, prevents to ever use GET or POST.

Changing the order to:
if (isset($_SERVER['REQUEST_METHOD'])) {
                    $method = $_SERVER['REQUEST_METHOD'];
                }
                else if(isset($_SERVER['SCRIPT_URI'])) {
                    $method = $_SERVER['SCRIPT_URI'] . $_SERVER['QUERY_STRING'];
                }
                else {
                    $method = 'GET';
                }
solves the problem.

Original comment by pnp.anc...@gmail.com on 10 Oct 2010 at 1:18

GoogleCodeExporter commented 9 years ago
Exactly ;-) Since I'm using oauth-php only under apache - I just froze that 
condition with false:

if (false && isset($_SERVER['SCRIPT_URI'])) {

ps: also it is a little annoying that oauth-php always use "echo" to return 
results. i think it would be better to return strings (or not catch exception) 
so I can after do whatever I want with the results (or I can catch and handle 
exception as I wish). But currently all I can do is just to catch output with 
ob_* and parse it :-S

Original comment by zerkmss on 10 Oct 2010 at 1:23

GoogleCodeExporter commented 9 years ago
Fixed on r162 using pnp's patch.

@zerkmss: About the echo: where are you talking about? The only place that 
echoes is OAuthServer for requestToken() and accessToken(), because the browser 
needs to get this information back. Is this what you want to override? If so, 
please open a new issue and make your suggestion :)

Original comment by brunobg%...@gtempaccount.com on 28 Oct 2010 at 4:12