Skip Menu |
 

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 93193
Status: new
Priority: 0/
Queue: Net-OAuth

People
Owner: Nobody in particular
Requestors: juan [...] camachofamily.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Incorrect request param normalization. Potential patch for Net::OAuth::Message::gather_message_parameters
Date: Thu, 20 Feb 2014 10:16:29 -0500
To: bug-Net-OAuth [...] rt.cpan.org
From: Juan Camacho <juan [...] camachofamily.com>
Download (untitled) / with headers
text/plain 1.4k
The following code generates an incorrect signature: my %args = ( consumer_key => 'trial', consumer_secret => 'trial', request_url => $uri, request_method => 'GET', signature_method => 'HMAC-SHA1', timestamp => time, nonce => int(rand(99999999)), extra_params => {param => 'foo', param2 => 'bar'}, ); my $request = Net::OAuth->request('consumer')->new(%args); The normalized param ends up encrypting a version of the string where ‘param2' is before ‘param’. my @pairs = ('param=foo', 'param2=bar'); print Dumper([sort @pairs]); # $VAR1 = [ 'param2=bar', 'param=foo’ ]; The following is a potential patch. --- /home/twst/tmp/Message.pm 2014-02-20 09:25:32.000000000 -0500 +++ /home/twst/perl5/lib/perl5/Net/OAuth/Message.pm 2014-02-20 09:28:48.000000000 -0500 @@ -146,10 +146,11 @@ return \%params; } my @pairs; - while (my ($k,$v) = each %params) { + foreach my $k (sort keys %params) { + my $v = $params{$k}; push @pairs, join('=', encode($k), $opts{quote} . encode($v) . $opts{quote}); } - return sort(@pairs); + return @pairs; } Note: The above doesn’t sort both the key and values as per the OAuth standard (http://oauth.net/core/1.0a/#sig_norm_param) but I can't see how to generate a request for multiple values on the same key (e.g. a=1&a=2) via Net::OAuth. If there is or if it’s later introduced, the above will not work. Juan Camacho


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.