php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #65766 Invalid SBS for arrays in query string
Submitted: 2013-09-26 12:29 UTC Modified: 2021-10-19 09:25 UTC
From: m dot kurzyna at crystalpoint dot pl Assigned:
Status: Verified Package: oauth (PECL)
PHP Version: 5.5.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: m dot kurzyna at crystalpoint dot pl
New email:
PHP Version: OS:

 

 [2013-09-26 12:29 UTC] m dot kurzyna at crystalpoint dot pl 
Description:
------------
OAuth extension generates invalid SBS for requests with array params. This happens both with oauth_get_sbs and with OAuthProvider (although results differ).

For oauth_get_sbs() key names are lost when generating SBS. However when setting collapsed param name as string methods yelds correct results:

oauth_get_sbs("GET","http://host/path", [ "include[answers]" => 1  ]));

When using OAuthProvider (with live requests) param name gets encoded twice on the other hand. Also debug_sbs is truncated. I don't know if it's just debug output that is cut or the real base string.

Test script:
---------------
var_dump(
  oauth_get_sbs(
    "GET",
    "http://host/path", 
    [ "name" => [ "key" => "value" ]  ]
  )
);

// also data from real world example with OAuthProvider

Expected result:
----------------
string(57) "GET&http%3A%2F%2Fhost%2Fpath&include%255Banswers%255D%3D1"

// when OAuthProvider receives request (parts removed but same)
// this is from a client sending request (not a PHP Pecl extension)

GET&https%3A%2F%2F....&include%255Banswers%255D%3D1%26oauth_consumer_key....oauth_token%3D9f98c213db%26oauth_version%3D1.0

Actual result:
--------------
string(41) "GET&http%3A%2F%2Fhost%2Fpath&name%3Dvalue"

// when OAuthProvider receives request (parts removed but same)
// this is from debug_sbs returned through OAuthException

GET&https%3A%2F%2F....&include%3D1%26include%255Banswers%255D%3D1%26oauth_consumer_key....oauth_token%3D9f98c213db%26oauth_ver

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-26 12:40 UTC] m dot kurzyna at crystalpoint dot pl 
There is a c&p error in expected result - params are for [ 'include' => [ 'answers' => 1 ] ]. Sorry.

Proper expected:
string(54) "GET&http%3A%2F%2Fhost%2Fpath&name%255Bkey%255D%3Dvalue"
 [2021-10-18 17:11 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-10-18 17:11 UTC] cmb@php.net 
I can confirm the reported behavior with oauth's master branch.
The nested array is sorted[1], and as such the keys are
dropped[2]; that *might* not be regarded as bug, but rather a
limitation, but associating the key of the outer array with the
value of the inner array is definitely a bug.

[1] <https://github.com/php/pecl-web_services-oauth/blob/2.0.7/oauth.c#L519>
[2] <https://3v4l.org/JcgXp>
 [2021-10-19 09:25 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem -Assigned To: cmb +Assigned To:
 [2021-10-19 09:25 UTC] cmb@php.net 
> […], but associating the key of the outer array with the value
> of the inner array is definitely a bug.

No, not really.  PHP is special in how it encodes/decodes array
parameters; the rest of the world does it without brackets.  And
oauth_get_sbs() is supposed to work that way[1].  We need to
document that, though.

[1] <https://github.com/php/pecl-web_services-oauth/blob/2.0.7/tests/oauth_sbs.phpt#L52>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 02:00:01 2025 UTC