Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper handling of xoauth_* query parameters #124

Open
GoogleCodeExporter opened this issue Dec 16, 2015 · 0 comments
Open

Improper handling of xoauth_* query parameters #124

GoogleCodeExporter opened this issue Dec 16, 2015 · 0 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. Add params to an OAuth request with xoauth_ as a prefix
2. Observe they incorrectly get added to the Authorization header and removed 
from query params in violation of spec

What is the expected output? 

Authorization: OAuth realm="", oauth_signature_method="HMAC-SHA1", 
oauth_signature="eE3to2CjqfLS7YREYgaPdVwoT1s%3D", oauth_nonce="4f877a4704166", 
oauth_timestamp="1334278727", oauth_token="", oauth_consumer_key="REDACTED", 
oauth_version="1.0"
Content-Type: application/x-www-form-urlencoded
Content-Length: 63

What do you see instead?

Authorization: OAuth realm="", xoauth_oauth2_access_token="REDACTED", 
oauth_signature_method="HMAC-SHA1", 
oauth_signature="djqNq8cPkKXrqh5BXXff5fnDV9M%3D", oauth_nonce="4f877864cb6a6", 
oauth_timestamp="1334278244", oauth_token="", oauth_consumer_key="REDACTED", 
oauth_version="1.0"
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

What version of the product are you using? On what operating system?

oauth-php-175 (operating system is irrelevant)

Please provide any additional information below.

--- ../../library/OAuthRequestSigner.php    2012-04-12 18:19:34.000000000 -0700
+++ ../../library/OAuthRequestSigner-unbroken.php   2012-04-12 18:19:13.000000000 
-0700
@@ -152,7 +152,7 @@

    /**
     * Builds the Authorization header for the request.
-    * Adds all oauth_ and xoauth_ parameters to the Authorization header.
+    * Adds all oauth_ parameters to the Authorization header.
     * 
     * @return string
     */
@@ -166,7 +166,7 @@
        $h[] = 'Authorization: OAuth realm=""';
        foreach ($this->param as $name => $value)
        {
-           if (strncmp($name, 'oauth_', 6) == 0 || strncmp($name, 'xoauth_', 7) == 0)
+           if (strncmp($name, 'oauth_', 6) == 0)
            {
                $h[] = $name.'="'.$value.'"';
            }
@@ -189,7 +189,7 @@
        foreach ($this->param as $name => $value)
        {
            if (    !$oauth_as_header 
-               ||  (strncmp($name, 'oauth_', 6) != 0 && strncmp($name, 'xoauth_', 7) != 0))
+               ||  (strncmp($name, 'oauth_', 6) != 0)
            {
                if (is_array($value))
                {

Without the above change, the library is in clear violation of the OAuth 1.0a 
spec. Some background reading is available here:

http://hueniverse.com/2009/03/clarifying-oauth-requirements-for-service-provider
s/
http://groups.google.com/group/oauth/browse_thread/thread/662fc80c07d25bd5/b88e2
e035e1cfe6f?pli=1

Original issue reported on code.google.com by jsjoh...@gmail.com on 13 Apr 2012 at 1:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter