yahya800 / oauth

Automatically exported from code.google.com/p/oauth
0 stars 0 forks source link

OAuthRequest::from_request doesn't take magic_quotes_gpc into account. #61

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Turn on magic_quotes_gpc
2. Use OAuthRequest:from_request with parameters containing quotes or
backslashes
3. Watch in shock and awe as your signatures don't match!

What is the expected output? What do you see instead?
Signatures should match. Instead, they don't because of backslashes being
where they shouldn't be.

Please provide any additional information below.

Simple fix:

Index: httpdocs/src/extlib/oauth/OAuth.php
===================================================================
--- OAuth.php (revision 434)
+++ OAuth.php (working copy)
@@ -187,6 +187,11 @@

     $request_headers = OAuthRequest::get_headers();

+    if (get_magic_quotes_gpc()) {
+      $_GET = array_map('stripslashes', $_GET);
+      $_POST = array_map('stripslashes', $_POST);
+    }
+
     // let the library user override things however they'd like, if they know
     // which parameters to use then go for it, for example XMLRPC might
want to
     // do this

Original issue reported on code.google.com by mister...@gmail.com on 6 Nov 2008 at 8:32

GoogleCodeExporter commented 9 years ago

Original comment by leah.culver on 14 Jan 2009 at 9:53

GoogleCodeExporter commented 9 years ago
I should not that the simple fix I posted won't actually work if there are 
things
other than strings in $_GET or $_POST. Sometimes there are arrays in there, and 
this
messes up when that is the case...

Original comment by mister...@gmail.com on 14 Jan 2009 at 11:07

GoogleCodeExporter commented 9 years ago
I will write a recursive function like the url(en|de)code functions that will 
fix this as soon as I get time time... 
Should be sometime over this weekend...

Original comment by morten.f...@gmail.com on 31 Jan 2009 at 9:09

GoogleCodeExporter commented 9 years ago
I've made a recursive function for removing magic-quotes now 
(OAuthUtil::remove_magic_quotes)..

I have tested it on the oauth-php demo provider as well as my own oauth-php 
based provider..

-Morten

Original comment by morten.f...@gmail.com on 1 Feb 2009 at 10:52

Attachments: