Comments (6)
GoogleCodeExporter
commented on May 18, 2024
[deleted comment]
from oauth.
GoogleCodeExporter
commented on May 18, 2024
Here's a patch.
Original comment by [email protected] on 22 Oct 2008 at 1:17
Attachments:
from oauth.
GoogleCodeExporter
commented on May 18, 2024
I assume this is because in OAuth Core 1.0 spec, section 9.4.1 describes "The
result
MUST be encoded again.". The spec is ambiguous. I assumed that the string in
the
example might be a partial string in query string (GET method), reffering the
example in section 9.1.1.
So, OAuth python library is double encoding.
Original comment by [email protected] on 24 Oct 2008 at 1:06
from oauth.
GoogleCodeExporter
commented on May 18, 2024
Sorry I couldn't understand this sentence: "I assumed that the string in the
example
might be a partial string in query string (GET method)"
I am redirecting the user to the authorization page over GET (not POST) if that
is
what you are saying. But, as far as I can tell, none of the other libraries are
doing this. To top it off, Netflix's OAuth implementation does not urldecode
twice,
so the redirect back to my page doesnt work. So I assume that this is the
problem,
and not everyone else...
Original comment by [email protected] on 24 Oct 2008 at 3:02
from oauth.
GoogleCodeExporter
commented on May 18, 2024
Sorry, I did not describe well what I wanted to mean. I think this is actually
a
library's bug, and thought about why this happened. I assumed that this was
introduced by misunderstanding of the spec. Why misunderstood? Because the spec
is
so misleading.
The spec allows three method to pass the parameters, GET(in query string),
POST(as
Content-type: application/x-www-form-urlencoded), http header(Authorization:
OAuth ....params).
The example in the spec section 9.4.1 is:
oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3
This is not a good example, because this is not what appears in case in http
header.
If you choose GET, the URL might be
http://example.com/..../path?query=value&....&oauth_signature=djr9rjt0jd78jf88%
26jjd999tj88uiths3&.....
Or, you choose POST, the body might be
query=value&....&oauth_signature=djr9rjt0jd78jf88%26jjd999tj88uiths3&.....
Or, you choose http header,
Authorization OAuth query="value",
...
oauth_signature="djr9rjt0jd78jf88%26jjd999tj88uiths3",
.....
The spec says "The result MUST be encoded again.", this is ambiguous. So, I
assume
this bug was introduced.
Original comment by [email protected] on 24 Oct 2008 at 4:18
from oauth.
GoogleCodeExporter
commented on May 18, 2024
Thanks for catching this bug! It's fixed now.
Original comment by leah.culver on 14 Jan 2009 at 9:03
- Changed state: Fixed
- Added labels: Lib-Python
from oauth.
Related Issues (20)
- liboauth should use strtok_r instead of strtok to support multithreaded usage
- Objc: NSRangeException when PUT/POST
- [java] split package syndrom
- PHP - oauth_callback is not used in from_consumer_and_token
- PHP Server has case sensitive HTTP headers
- JMeter OAuth Sampler relying on now removed JOrphanUtils method call HOT 2
- Parameter Sort not working in VB.NET Class (and Fix)
- Ouath.php Load balancer issues
- how can i get the token for my http://wholesale.nuorder.com/api/
- Python library nonce generation is insecure
- PHP Fatal error: Cannot redeclare class OAuthException in OAuth.php on line 8
- In C# Code the URL Parameters and their values must be encoded before generating the hash-code
- Problem in OAuthRequest->from_request (PHP lib)
- oauth_problem_advice: Failed to validate signature
- php lib as a server back a server-proxy
- Code review request
- java: net.oauth.OAuthMessage uses unsafe method for nonce generation HOT 2
- Code review request
- Patch for /code/javascript/sha1.js
- Patch for /code/c/liboauth/src/oauth_http.c
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth.