php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #59233 Spaces in the Access Secret
Submitted: 2010-05-26 10:57 UTC Modified: 2010-05-28 12:04 UTC
From: qroups dot q at gmail dot com Assigned:
Status: Not a bug Package: oauth (PECL)
PHP Version: 5.2.6 OS: ANY
Private report: No CVE-ID: None
View Developer Edit
 [2010-05-26 10:57 UTC] qroups dot q at gmail dot com 
Description:
------------
Certain access secret keys returned by Google has spaces in 
them. A request to access the API using an access secret key 
that has a space in it fails. Here are the relevant URL's

'RequestUrl'=>"https://www.google.com/accounts/OAuthGetRequest
Token"							
'AccessUrl'=>"https://www.google.com/accounts/OAuthGetAccessTo
ken",
'AuthorizeUrl'=>"https://www.google.com/accounts/OAuthAuthoriz
eToken",
'Scopes' => "http://picasaweb.google.com/data/"


Reproduce code:
---------------
try
{
$oauth  = new OAuth($this->consKey, $this->consSecret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
// if the accessSecret has a space $oauth->fetch fails
$oauth->setToken($this->accessToken, $this->accessSecret);
$oauth->disableSSLChecks();
$oauth->enableDebug();
$oauth->fetch($url);
var_dump($oauth->getLastResponse());
}
catch(OAuthException $e)
{
var_dump($oauth->debugInfo);
return false;
}


Expected result:
----------------
Result from the requested API

Actual result:
--------------
OAuthException is thrown.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-26 11:14 UTC] qroups dot q at gmail dot com 
OS: ANY
 [2010-05-26 12:45 UTC] datibbaw@php.net 
Could you try trunk first?
 [2010-05-26 12:56 UTC] datibbaw@php.net 
Also, we need more data; like the output of debugInfo for instance.

Also, the output of the getAccessToken() will help. Not sure whether they mean to send a space in the first place.
 [2010-05-27 03:41 UTC] datibbaw@php.net 
The tokens that Google sends can contain / or +, the latter being a substitute for space when urldecode()'ed.

Please double check your code, afaik Google doesn't send secrets with spaces.
 [2010-05-28 10:23 UTC] qroups dot q at gmail dot com 
Here is an example access secret "KVbprjbe0BoNoOYlIt M8uwr". 
I was able to get an access secret with a space in it for 
every 5-10 times I tried. The procedure that I follow to 
retrieve an access secret is by invoking 
1. $access = $oauth->getAccessToken($accessUrl)
2. $access_secret = $access['oauth_token_secret'];

Here is the debuginfo for a failed request. I have edited 
the key and token:

"GET&http%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi%2
Fuser%2Fdefault&oauth_consumer_key%3Dsecret%26oauth_nonce%3D
247854bffcd5018a5d0.86791471%26oauth_signature_method%3DHMAC
-
SHA1%26oauth_timestamp%3D1275055440%26oauth_token%3D1%252FbR
QhIrP2yh_S-
faUlF1MaUd4R98J_qeLY0HpnwosFWg%26oauth_version%3D1.0" 
["headers_sent"]=> string(347) "GET 
/data/feed/api/user/default?
oauth_consumer_key=secret&oauth_signature_method=HMAC-
SHA1&oauth_nonce=247854bffcd5018a5d0.86791471&oauth_timestam
p=1275055440&oauth_version=1.0&oauth_token=1%2FbRQhIrP2yh_Sf
aUlF1MaUd4R98J_qeLY0HpnwosFWg&oauth_signature=LnTr5rB9WfvFHQ
FaVt1fYKsinrk%3D HTTP/1.1 Host: picasaweb.google.com Accept: 
*/*" ["headers_recv"]=> string(474) "HTTP/1.1 403 Forbidden 
Set-Cookie: _rtok=4ywqtBgLr1UK; Path=/; HttpOnly Set-Cookie: 
S=photos_html=Zun5LX6ofNPwyG9KIHE7oA; Domain=.google.com; 
Path=/; HttpOnly WWW-Authenticate: GoogleLogin 
realm="/accounts" Content-Type: text/html; charset=UTF-8 
Date: Fri, 28 May 2010 14:04:00 GMT Cache-control: private, 
must-revalidate, max-age=0 X-Content-Type-Options: nosniff 
X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block 
Server: GSE Transfer-Encoding: chunked" ["body_recv"]=> 
string(33) "16 Authorization required 0 " ["info"]=> 
string(212) "About to connect() to picasaweb.google.com port 
80 (#0) Trying 64.233.169.136... connected Connected to 
picasaweb.google.com (64.233.169.136) port 80 (#0) 
Connection #0 to host picasaweb.google.com left intact "

Important update:
Also, if I urlencode (using the function mentioned in the 
note) the secret before accessing the API using the 
oauth::setToken() and oauth::fetch(), the request succeeds 
all the time(even with space in the secret), from my limited 
testing. If I don't urlencode the secret with the space, the 
request fails all the time.

Note: 
function rfc3986_encode($str) 
{ 
  $str = rawurlencode($str); 
  $str = str_replace('%E7', '~', $str); 
  return $str; 
}
 [2010-05-28 10:58 UTC] datibbaw@php.net 
Hi, thanks!

Two things:
1) what version of OAuth are you using? Is it trunk?
2) Could you also send the debugInfo of the getAccessToken?
 [2010-05-28 11:40 UTC] qroups dot q at gmail dot com 
I found the issue. The fault was at my end. Google does send 
access secrets with spaces. The getAccessToken() returns the 
access secret with spaces encoded to a '+'). I had a 
header() in which I passed the access secret. That decoded 
the access secret, that I stored in a database. I didn't 
realize that header() decodes the query parameters (I am new 
to PhP). While using the access secret from the database 
(its a decoded string) the fetch fails. Thanks for your 
help. I was able to debug this while trying to get the 
debuginfo for the access token.
 [2010-05-28 12:04 UTC] datibbaw@php.net 
Sorry, but your problem does not imply a bug in PECL itself.  For a
list of more appropriate places to ask for help using PECL, please
visit http://pecl.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PECL.

Thanks for finding the problem in the end :)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 08:01:35 2025 UTC