Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#9313 closed defect (fixed)

[patch][cla]OAuth base string is incorrect

Reported by: Mark Wubben Owned by: Tom Trenka
Priority: high Milestone: 1.4
Component: Dojox Version: 1.3.0
Keywords: Cc: Tom Trenka
Blocked By: Blocking:

Description incorrectly constructs the OAuth base string. Instead of encoding the entire normalized request parameters string, it only encodes = and & characters.

From the OAuth specification §9.1.3:

Each item is encoded and separated by an ‘&’ character (ASCII code 38), even if empty.

(Here "item" refers to the HTTP request method, the request URL and the normalized request parameters string).

When the parameters include other encoded characters, such as %2A, they end up in the base string as %2A rather than %252A, causing OAuth requests to fail.

The Netflix OAuth Test does encode a * argument to %252A in the signature string. (Note that it only replaces one character, ** is incorrectly encoded to %252A%2A.)

Attachments (1)

OAuth.js.patch (509 bytes) - added by Mark Wubben 13 years ago.
Patch for base string encoding

Download all attachments as: .zip

Change History (4)

Changed 13 years ago by Mark Wubben

Attachment: OAuth.js.patch added

Patch for base string encoding

comment:1 Changed 13 years ago by Adam Peller

Component: GeneralDojox
Owner: changed from anonymous to Tom Trenka
Summary: OAuth base string is incorrect[patch][cla]OAuth base string is incorrect

comment:2 Changed 12 years ago by Tom Trenka

Resolution: fixed
Status: newclosed

(In [20375]) Implement patch as submitted by Mark Wubben. Fixes #9313 !strict.

comment:3 Changed 12 years ago by bill

Milestone: tbd1.4
Note: See TracTickets for help on using tickets.