Skip Menu |
 

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 60154
Status: new
Priority: 0/
Queue: Net-OAuth

People
Owner: Nobody in particular
Requestors: alasdair.mcintyre [...] lovefilm.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Repeated parameters incorrectly handled
Date: Fri, 6 Aug 2010 22:46:27 +0100
To: <bug-Net-OAuth [...] rt.cpan.org>
From: "Alasdair McIntyre" <alasdair.mcintyre [...] lovefilm.com>
Download (untitled) / with headers
text/plain 2.3k
Distribution: Net-OAuth-0.27 URIs with repeated query parameters are mishandled. Example code: #!/usr/bin/perl use Net::OAuth; my $request = Net::OAuth->request("consumer")->new( consumer_key => 'dpf43f3p2l4k3l03', consumer_secret => 'kd94hf93k423kf44', request_url => 'https://photos.example.net/example?xyz=1&xyz=2', request_method => 'POST', signature_method => 'HMAC-SHA1', timestamp => '1191242090', nonce => 'hsu94j3884jdopsl', ); $request->sign; print $request->to_url, "\n"; Actual output: https://photos.example.net/example ?oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_nonce=hsu94j3884jdopsl &oauth_signature=TiBfujKj8lqfSb4z09cCA0rgF3M%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1281130089 &oauth_version=1.0 &xyz=1 Expected output: https://photos.example.net/example ?oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_nonce=hsu94j3884jdopsl &oauth_signature=nHAFXgbGExTUON4dGLYmQVJO9CE%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1281130089 &oauth_version=1.0 &xyz=1 &xyz=2 This flaw is also present if a duplicate parameter is supplied via extra_params. The library is also unable to correct verify the signatures on incoming requests if any duplicate parameters are present, either as URI parameters, or POST parameters. See http://tools.ietf.org/html/rfc5849, section 3.4.1.3.2. Parameters Normalization: 2. The parameters are sorted by name, using ascending byte value ordering. If two or more parameters share the same name, they are sorted by their value. ----------------------------------------------------------------------------------------------------------------------------------------- LOVEFiLM UK Limited is a company registered in England and Wales. Registered Number: 06528297. Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom. This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, please delete it from your system and notify the sender immediately. This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.co.uk -----------------------------------------------------------------------------------------------------------------------------------------


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.