PHP :: Bug #59259 :: Multiple fetch calls always send the same nonce

Bug #59259	Multiple fetch calls always send the same nonce
Submitted:	2010-06-11 11:18 UTC	Modified:	2010-06-14 08:51 UTC
From:	z at orbus dot fr	Assigned:
Status:	Closed	Package:	oauth (PECL)
PHP Version:	5.2.13	OS:	Debian Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2010-06-11 11:18 UTC] z at orbus dot fr

Description:
------------
As the OAuth RFC says, "The nonce value MUST be unique across all requests with the same timestamp, client credentials, and token combinations." (section 3.3).

But in PECL OAuth client, when you make calls to fetch method with a different timestamp (obviously, by waiting some seconds between calls), the nonce doesn't change and triggers a server error (when the server respects the RFC).

Reproduce code:
---------------
// (snip) Oauth dance

$oauth->fetch($url);

sleep(2);

$oauth->fetch($url2);

// -> triggers server error "invalid nonce"

Expected result:
----------------
Oauth should send a different nonce for each fetch call.

Actual result:
--------------
Always sends the same nonce.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-11 11:34 UTC] rasmus@php.net

But you are generating the nonce yourself with the callback.  
pecl/oauth doesn't generate it.  So I don't understand what 
you are referring to here.

[2010-06-11 11:42 UTC] z at orbus dot fr

Sorry if I've not made myself clear enough. I'll try to explain better.

After having done a OAuth dance (temporary credentials, authorization, request token), you make OAuth requests with fetch.

If you call 'fetch' two times the second time it will send the same nonce as in the first call. But as the spec says, the nonce should change when the timestamp have changed, but that's not what the PECL is doing here.

Or maybe am I mis-interpreting the RFC?

[2010-06-11 11:44 UTC] rasmus@php.net

What does your timestampNonceHandler() callback look like and 
is it being called?  Like I said, the extension doesn't 
generate the Nonce, you do.

[2010-06-11 11:47 UTC] rasmus@php.net

ah, you are talking about the consumer side, not the provider.  
never mind.

[2010-06-11 11:48 UTC] z at orbus dot fr

Oh there's a little mis-understanding, I'm only using the Oauth client object, not the OauthProvider object.

[2010-06-11 21:37 UTC] datibbaw@php.net

Please provide the full reproduce script.

If you set your own nonce, you're also responsible for refreshing it ;-)

[2010-06-14 04:22 UTC] z at orbus dot fr

I *don't* set my own nonce.

The script:

$conskey = 'trololo';
$conssec = 'trololosecret';

$oauth = new OAuth($conskey, $conssec);
$oauth->enableDebug();
$oauth->disableSSLChecks();

$oauth->setToken('toto', '1234');
$joe = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=joe');

$jack = $oauth->fetch('https://test.orbus/api/v1/user/get.json?username=jack');

[2010-06-14 08:22 UTC] datibbaw@php.net

Your reproduce script doesn't confirm your assumptions, i.e. it doesn't print the request being sent to the server.

Couldn't reproduce this on my machine, it prints two completely different nonces for both requests.

Please modify your script so that the ->debugInfo['sbs'] is printed and try again.

[2010-06-14 08:51 UTC] z at orbus dot fr

Nethermind, the developer in charge found the bug, somewhat some callback in his code was setting the same nonce each time.

Sorry for the loss of time. *grmbl*

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Wed Jun 07 15:03:42 2023 UTC