php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59334 OAuthProvider: Authorization header case-sensitivity
Submitted: 2010-08-02 18:30 UTC Modified: 2011-01-15 12:08 UTC
From: php+bugs at dmi dot me dot uk Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.3.3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php+bugs at dmi dot me dot uk
New email:
PHP Version: OS:

 

 [2010-08-02 18:30 UTC] php+bugs at dmi dot me dot uk 
Description:
------------
When used as part of mod_php in Apache, the OAuthProvider class does not honour the "Authorization" header if the name does not match exactly. Requests made via python-oauth2 (http://github.com/simplegeo/python-oauth2) via httplib2 normalise request headers to be all lowercase, which means that the credentials are not picked up.

According to HTTP 1.1 (RFC2616 section 4.2), header names should be case-insensitive.

Reproduce code:
---------------
Reproduce:

Use pycloc (http://github.com/dingram/pycloc) to make a PUT request against an OAuthProvider endpoint. The credentials will be placed in an "authorization:" header. Example request:

pycloc http://localhost/oauth/a_private_api.php -B blah=foo -u


Patch against SVN HEAD (r301479):

http://www.dmi.me.uk/code/patches/oauth-provider-case-insensitive-header.patch

Expected result:
----------------
Expected result is for the request to succeed, and for the authorization header to be correctly parsed, whatever capitalisation it has.

Actual result:
--------------
OAuthProvider throws an exception when it cannot access the header.

Exception: exception 'OAuthException' with message 'Missing required parameters' in /var/www/localhost/htdocs/oauth/a_private_api.php:15
Stack trace:
#0 /var/www/localhost/htdocs/oauth/a_private_api.php(15): OAuthProvider->checkOAuthRequest()
#1 {main}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-08-03 05:51 UTC] php+bugs at dmi dot me dot uk 
More complete reproduce example:

pycloc -k consumer_key -K the_consumer_secret -t access_token -T the_access_token_secret -u http://localhost/oauth/a_private_api.php -B 'blah=foo'
 [2010-08-03 11:05 UTC] datibbaw@php.net 
Fix committed in SVN, but not entirely according to submitted 
patch. Please verify in trunk.
 [2010-08-03 11:27 UTC] php+bugs at dmi dot me dot uk 
Verified -- all works as expected. Thanks for the quick response, and for improving my patch. This was my first patch for a PHP extension, so it's always helpful to see better ways of doing things.



Cheers!

[apologies if this shows up multiple times, but the system didn't seem to want to accept my reply]
 [2011-01-15 12:08 UTC] jawed@php.net 
This bug has been fixed in SVN.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

Closing based on datibbaw@ and the bug reporters' comments.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 15:01:29 2024 UTC