PHP :: Bug #64970 :: DELETE / PUT params are not included in the signature on the provider side

Bug #64970

DELETE / PUT params are not included in the signature on the provider side

Submitted:

2013-06-04 14:04 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

alexandru dot fluerici at yahoo dot com

Assigned:

Status:

Open

Package:

oauth (PECL)

PHP Version:

5.4.15

OS:

ubuntu

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alexandru dot fluerici at yahoo dot com
New email:
PHP Version:		OS:

New Comment:

[2013-06-04 14:04 UTC] alexandru dot fluerici at yahoo dot com

Description:
------------
When trying to make a request with the PUT or DELETE action the extra parameters sent in the body are not being included on the signature process on the server.

Test script:
---------------
$oauth = new OAuth("9538568fb3756eeff20e71c0e9b62f7cd11b2656","34aa6f4f51d53212b34df53c316645bd2cab4edf",OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_AUTHORIZATION);

	$x = array(1,2,3 => array(1,2,3 => array(1,2,3)));

	$data = array('data' => json_encode($x)); 

	$oauth->fetch("http://api.alex.espressonew.com/index/index",$data,OAUTH_HTTP_METHOD_PUT);

Expected result:
----------------
The signature should be valid

Actual result:
--------------
The server response 

oauth_problem=signature_invalid&debug_sbs=PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

The debug info from the client

PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&data%3D%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%255B1%252C2%252C3%255D%257D%257D%26oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-05 10:11 UTC] alexandru dot fluerici at yahoo dot com

So, after more testing it seems that the problem resides in the client code.

The HTTP RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 
states the following for both PUT and DELETE:

The PUT / DELETE method requests that the enclosed entity be stored under the supplied Request-URI.


So my guess is the problem is with the client not appending the PUT / DELETE into the Request URI, instead putting it into the body.

[2021-02-13 12:08 UTC] berestnevao27 at gmail dot com

Thanks for the info i will try to figure it out for more      


https://www.indigocard.one/

[2022-01-15 12:17 UTC] nancychandler340 at gmail dot com

That's great. I was impressed by your writing. I am happy to see such a topic. Please come to my blog and read it.
https://www.myfeedbackcard.com/myindigocard/

[2022-01-19 07:18 UTC] umair dot riaz at ditrc dot com

https://irescopk.com/services/recruitment-agencies-in-pakistan-for-saudi-arabia/

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 22 04:01:28 2024 UTC