tjjingshen / sfdc-oauth-playground

Automatically exported from code.google.com/p/sfdc-oauth-playground
0 stars 0 forks source link

Signing does not properly handle encoded parameters #3

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Attempting to use the SimpleGeo API (http://simplegeo.com/), invoking the URL 
http://api.simplegeo.com/1.0/context/address.json?address="1+Market+St,+San+Fran
cisco,+CA" fails, with the following error from SimpleGeo:

"Invalid signature: expected base signature: 
GET&http%3A%2F%2Fapi.simplegeo.com%2F1.0%2Fcontext%2Faddress.json&address%3D%252
21%2520Market%2520St%252C%2520San%2520Francisco%252C%2520CA%2522%26oauth_callbac
k%3Dnull%26oauth_consumer_key%3DDKhqRNypNacwrefjWJSEsVYsmJMSG7V9%26oauth_nonce%3
D9127438362369930968%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D12
95886721%26oauth_token%3D"

Looking at the debug output, the base signature produced by OAuth.cls is:
GET&http%3A%2F%2Fapi.simplegeo.com%2F1.0%2Fcontext%2Faddress.json&address%3D%221
%2BMarket%2BSt%2C%2BSan%2BFrancisco%2C%2BCA%22%26oauth_callback%3Dnull%26oauth_c
onsumer_key%3DDKhqRNypNacwrefjWJSEsVYsmJMSG7V9%26oauth_nonce%3D91274383623699309
68%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1295886721%26oauth_t
oken%3D

The problem is that the double quotes and plus signs in the address parameter 
value are not being properly decoded/encoded before being sorted and added to 
the signature base. OAuth spec (RFC 5849) sections 3.4.1.3.1 and 3.4.1.3.2 
specify that parameter names and values are decoded then encoded before being 
sorted and concatenated; Section 3.6 specifies that space must be encoded as 
%20 and not +.

Attached patch properly decodes/encodes parameter names and values as 
specified, and works with SimpleGeo.

Original issue reported on code.google.com by metada...@gmail.com on 24 Jan 2011 at 4:39

Attachments: