search

surjit / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

Coldfusion library hmac-sha1 sig method does not sign requests correctly #35

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

Sign a request using OAuthSignatureMethod_HMAC_SHA1 and examine the value
of sResult before it is returned from
OAuthSignatureMethod_HMAC_SHA1.buildSignature()

What is the expected output? What do you see instead?

currently the library is not url encoding the basestring before signing it.
 for example: 

POST&http://api.domain.com/login/request&oauth_consumer_key=111222333&oauth_nonc
e=833C7083155C6DAD6E874796B77414670D447FDB&oauth_signature_method=HMAC-SHA1&oaut
h_timestamp=1218443250&oauth_version=1.0

The expected base string should be: 

POST&http%3A%2F%2Fapi.domain.com%2Flogin%2Frequest&format%3Djson%26oauth_consume
r_key%3D111222333%26oauth_nonce%3DE4A29C58631066226567BA13165E626D067760CA%26oau
th_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1218443373%26oauth_version%3
D1.0

What version of the product are you using? On what operating system?
rev: 626

Please provide any additional information below.

Below is an updated buildSignature function that will correctly url encode
each portion of the base string.  Please note the use of
java.net.URLEncoder to do the url encoding and NOT coldfusion's built in
urlEncodedFormat() function. urlEncodedFormat will (incorrectly?) encode
".", "-" and "_" to their % values causing the signature to be invalid.

<!--- builds a SHA-1 signature --->
<cffunction name="buildSignature" access="public" returntype="string">
    <cfargument name="oRequest"     required="true" type="OAuthRequest">
    <cfargument name="oConsumer"    required="true" type="OAuthConsumer">
    <cfargument name="oToken"       required="true" type="OAuthToken">

    <cfset var encoder = createObject("java", "java.net.URLEncoder") />
    <cfset var aSignature = ArrayNew(1)>
    <cfset var sKey = "">
    <cfset var sResult = "">
    <cfset var sHashed = "">
    <cfset var digest = "">

    <cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getNormalizedHttpMethod()))>
    <cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getNormalizedHttpURL()))>
    <cfset ArrayAppend(aSignature,
encoder.encode(arguments.oRequest.getSignableParameters()))>

    <cfset sKey = arguments.oConsumer.getSecret() & "&">
    <cfset sKey = sKey & arguments.oToken.getSecret()>
    <cfset sResult = ArrayToList(aSignature, "&")>

    <cfset sHashed = hmac_sha1(
        signKey = sKey,
        signMessage = sResult)>

    <cfreturn sHashed>
</cffunction>

Original issue reported on code.google.com by d1rtym0n...@gmail.com on 11 Aug 2008 at 8:37

GoogleCodeExporter commented 9 years ago

Original comment by leah.culver on 14 Jan 2009 at 8:36

GoogleCodeExporter commented 9 years ago 
fixed with revision 869

Original comment by derric...@gmail.com on 27 Jan 2009 at 3:20