PHP :: Bug #62882 :: provider adds a url= to the signature base string

Bug #62882	provider adds a url= to the signature base string
Submitted:	2012-08-21 17:51 UTC	Modified:	2012-08-30 19:35 UTC
From:	hans at shapeways dot com	Assigned:
Status:	Not a bug	Package:	oauth (PECL)
PHP Version:	Irrelevant	OS:	Ubuntu 11.10
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	hans at shapeways dot com
New email:
PHP Version:		OS:

New Comment:

[2012-08-21 17:51 UTC] hans at shapeways dot com

Description:
------------
The 1.2.2 oauth provider *adds* url=someurl to an incoming signature base string if its not there before it signs it and then compares the result with what the consumer sent.

The Oauth libraries' auth_client sends a signature base string without the url part, making the request fail with oauth_problem=signature_invalid . According to rfc5849 I think the consumer is right in not adding the url part to the SBS.

I got the provider to accept a signature base string by crafting the oauth consumer by hand using curl and adding a url= part :

    $oauth = array(
        'oauth_consumer_key' => $consumer_key,
        'oauth_nonce' => time(),
        'oauth_signature_method' => $signature_method,
        'oauth_timestamp' => $timestamp,
        'oauth_version' => '1.0',
        'oauth_callback' => $callback,
        'url' => 'oauth1/request_token');

This works and made me conclude the provider requires the url= part which the libraries Oauth client does not provide.

Test script:
---------------
Here's the relevant library consumer piece :

    $oauth_client = new Oauth($consumer_key, $consumer_secret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
    $oauth_client->enableDebug();
    try {
        $info = $oauth_client->getRequestToken("$url, $callback");

The request token provider is from the examples :

        $this->provider->setRequestTokenQuery();
        $this->provider->checkRequest();
        echo $this->provider->generateRequestToken();


Expected result:
----------------
I expect the library Oauth client to be able to talk to the library Oauth provider.

Actual result:
--------------
string(432) "oauth_problem=signature_invalid...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-08-21 18:55 UTC] jawed@php.net

I don't understand this line:

$info = $oauth_client->getRequestToken("$url, $callback");

[2012-08-21 18:55 UTC] jawed@php.net

-Status: Open +Status: Feedback

[2012-08-21 19:31 UTC] hans at shapeways dot com

Right, mispasted. Sorry for that. While debugging i tried both of these :
#        $info = $oauth_client->getRequestToken($url, $callback);
        $info = $oauth_client->getRequestToken("$url?oauth_callback=$callback");
Glad you're looking into this.

[2012-08-28 13:36 UTC] hans at shapeways dot com

Here's tcpdump output from both the pecl oauth client and the curl client that shows the issue :

# pecl client :

GET /oauth1/request_token HTTP/1.1
User-Agent: PECL-OAuth/1.2.2
Host: testoauthserver:90
Accept: */*
Authorization: OAuth oauth_consumer_key="bb5d781afc99e33d4f7403f531be4286f0206172",oauth_signature_method="HMAC-SHA1",oauth_nonce="380922781503cc7a8358756.40104372",oauth_timestamp="1346160552",oauth_version="1.0",oauth_signature="Ek%2FioCp7UEr9Ri1oigNktQlP%2B8g%3D"

# server response :

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2012 13:26:56 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.8
Vary: Accept-Encoding
Content-Length: 338
Content-Type: text/html

oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2Ftestoauthserver%3A90%2Foauth1%2Frequest_token&oauth_consumer_key%3Dbb5d781afc99e33d4f7403f531be4286f0206172%26oauth_nonce%3D380922781503cc7a8358756.40104372%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346160552%26oauth_version%3D1.0%26url%3Doauth1%252Frequest_token


# curl client with url= in the signature base string :

GET /oauth1/request_token HTTP/1.1
Host: testoauthserver:90
Accept: */*
Authorization: OAuth oauth_consumer_key="bb5d781afc99e33d4f7403f531be4286f0206172", oauth_nonce="1346160597", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1346160597", oauth_version="1.0", url="oauth1%2Frequest_token", oauth_signature="mhNU%2FAc8deCvH6B39UskXJVAHo8%3D"

# server response :

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2012 13:27:41 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.8
Vary: Accept-Encoding
Content-Length: 217
Content-Type: text/html

authentification_url=http://localhost/OAuthProviderExample/oauth/login.php&oauth_token=4cecaa62dcb1172dc058aaaf2e642bc5a5e6f842&oauth_token_secret=1c79ee2470aea9784daf061779c4b38016d9ae66&oauth_callback_confirmed=true

If I remove the url= part from the curl request it also gets a signature_invalid response.

I hope this helps.

[2012-08-30 15:52 UTC] hans at shapeways dot com

-Status: Feedback +Status: Closed

[2012-08-30 15:52 UTC] hans at shapeways dot com

Issue cause found : a 'nice' mode_rewrite rule adding url=xxxx !
In case anyone else runs into this : add something like 
$this->oauth->setParam('url', NULL);
to the Provider constructor to ignore it so your SBS is correct.

[2012-08-30 19:35 UTC] rasmus@php.net

-Status: Closed +Status: Not a bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jan 05 01:01:28 2025 UTC