Skip Menu |
 

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 30115
Status: resolved
Priority: 0/
Queue: Net-OAuth

People
Owner: Nobody in particular
Requestors: rt.cpan [...] sartak.org
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.03
Fixed in: (no value)



Subject: (Empty) token_secret not included in RequestTokenRequest
Download (untitled) / with headers
text/plain 761b
Hi again Keith, This time I have a real bug for you! :) The token_secret is _always_ a required signature element, even if you have no token yet (during RequestTokenRequest it should just be the empty string). Net::OAuth doesn't include the token_secret during RequestTokenRequest. The effect is that the signature base string is missing a final & during HMAC/RSA RequestTokenRequests. Your test suite misses this bug because it uses PLAINTEXT for the Request Token Request, which bypasses the signature base string. Attached are tests and a fix. I think my fix hits all of the cases correctly. It's just a parameter that is joined into the signature base string until you get to AccessTokenRequest, where it becomes a required API parameter. Shawn
Subject: fix-token-secret.diff
diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/AccessTokenRequest.pm 2007-10-18 22:31:04.000000000 -0400 @@ -5,7 +5,6 @@ __PACKAGE__->add_required_request_params(qw/token/); __PACKAGE__->add_required_api_params(qw/token_secret/); -__PACKAGE__->add_to_signature(qw/token_secret/); sub allow_extra_params {0} =head1 NAME diff -rN -u old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm --- old-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/lib/Net/OAuth/Request.pm 2007-10-18 22:31:04.000000000 -0400 @@ -29,13 +29,14 @@ request_url normalized_request_parameters consumer_secret + token_secret /]); __PACKAGE__->mk_accessors( @{__PACKAGE__->required_request_params}, @{__PACKAGE__->optional_request_params}, @{__PACKAGE__->required_api_params}, - qw/extra_params signature signature_key/ + qw/extra_params signature signature_key token_secret/ ); sub add_required_request_params { diff -rN -u old-Net-OAuth-0.03/t/01-spec.t new-Net-OAuth-0.03/t/01-spec.t --- old-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 +++ new-Net-OAuth-0.03/t/01-spec.t 2007-10-18 22:31:04.000000000 -0400 @@ -2,7 +2,7 @@ use strict; use warnings; -use Test::More tests => 12; +use Test::More tests => 15; BEGIN { use_ok( 'Net::OAuth::Request' ); @@ -82,3 +82,20 @@ oauth_version="1.0" EOT +$request = Net::OAuth::RequestTokenRequest->new( + consumer_key => 'dpf43f3p2l4k3l03', + consumer_secret => 'kd94hf93k423kf44', + request_url => 'https://photos.example.net/request_token', + request_method => 'POST', + signature_method => 'HMAC-SHA1', + timestamp => '1191242090', + nonce => 'hsu94j3884jdopsl', +); + +$request->sign; + +ok($request->verify); + +is($request->signature_base_string, 'POST&https%3A%2F%2Fphotos.example.net%2Frequest_token&oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dhsu94j3884jdopsl%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242090%26oauth_version%3D1.0&kd94hf93k423kf44&'); +is($request->signature, 'ivUllEyrORt90wdGXjOp5Z+ERCQ'); +
Thanks for the great patch! Applied in SVN r199, and released on CPAN as v0.04


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.