search

surjit / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

javascript library urlencoding issues #10

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Step:

1. GET http://some.domain.com/?q=x/y
2. Encode signature with HMAC-SHA1

Result:
parameter list is double urlencoded - should be x%2Fy when submitted for
sha1 encoding, instead is x%252Fy

Encoding happens on line 337 and 359

ALSO

1. signature is generated that contains + character
2. signature is not urlencoded
3. + is received at other end and converted into space

the signature needs to be urlencoded after generation (see line 236)

Original issue reported on code.google.com by tom.led...@gmail.com on 27 Feb 2008 at 6:01

GoogleCodeExporter commented 9 years ago 
These aren't bugs, I believe.

The / in q=x/y should be URL encoded twice before computing an HMAC from it.

oauth.js is designed to encode parameters shortly before transmitting them, for 
example when OAuth.addToURL constructs a query string fragment by calling 
OAuth.formEncode.  It doesn't encode parameters in a message object, by design. 

This harmonizes with the JavaScript object model for elements of an input form, 
whose value property isn't URL encoded.  Instead, the browser encodes each 
value 
before transmitting it.

Original comment by jmkrist...@gmail.com on 10 Jul 2008 at 2:08

GoogleCodeExporter commented 9 years ago

Original comment by jmkrist...@gmail.com on 10 Jul 2008 at 2:15

GoogleCodeExporter commented 9 years ago

Original comment by jmkrist...@gmail.com on 10 Jul 2008 at 2:16