PHP :: Bug #64308 :: Protocol and host name not lowercased when generating signature base string

Bug #64308	Protocol and host name not lowercased when generating signature base string
Submitted:	2013-02-27 10:07 UTC	Modified:	2013-11-12 22:52 UTC
From:	jaisen at jmathai dot com	Assigned:	jawed (profile)
Status:	Closed	Package:	oauth (PECL)
PHP Version:	5.3Git-2013-02-27 (snap)	OS:	Linux / OSX
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jaisen at jmathai dot com
New email:
PHP Version:		OS:

New Comment:

[2013-02-27 10:07 UTC] jaisen at jmathai dot com

Description:
------------
Per 9.1.2 in the OAuth 1.0a spec it states that the scheme and authority should be lowercased.

http://oauth.net/core/1.0a/#anchor13

As seen by the actual resulting debug_sbs that isn't the case for the authority/hostname.

Expected result:
----------------
The signature base string should be computed by lowercasing the host and protocol.

Actual result:
--------------
oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2FSimonWpt.trovebox.com%2Fhello.json&auth%3Dtrue%26oauth_consumer_key%3D***************%26oauth_nonce%3DIVziV%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1361954784%26oauth_token%3D****************%26oauth_version%3D1.0

Patches

bug_64308.patch (last revision 2013-11-12 22:22 UTC by mjpelmear at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-02-28 01:42 UTC] datibbaw@php.net

I guess we've conveniently skipped that ;-)

Btw, the correct documentation link is: 
http://oauth.net/core/1.0a/#rfc.section.9.1.2

[2013-02-28 04:07 UTC] jaisen at jmathai dot com

It was an elusive bug and only affected a small portion of our users.

Looking forward to the fix and thanks for this great extension.

[2013-11-12 22:50 UTC] jawed@php.net

Automatic comment from SVN on behalf of jawed
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=332108
Log: Bug 64308 (patch via mjpelmear at gmail dot com)

[2013-11-12 22:52 UTC] jawed@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: jawed

[2013-11-12 22:52 UTC] jawed@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Looks fine to me, applied. Thanks!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 12 05:01:28 2025 UTC