|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59337 SBS not encoded in ProblemReporting output
Submitted: 2010-08-04 03:41 UTC Modified: 2011-01-16 19:47 UTC
Avg. Score:3.7 ± 1.9
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:3 (100.0%)
From: php+bugs at dmi dot me dot uk Assigned:
Status: Open Package: oauth (PECL)
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-08-04 03:41 UTC] php+bugs at dmi dot me dot uk
If there is a problem with the signature, the ProblemReporting extension echoes back the expected SBS. This needs to be urlencoded again before output, as otherwise arguments can be lost when parsing the result, and the wrong data will be returned.

Reproduce code:
curl -iH 'Authorization: OAuth realm="", oauth_nonce="blargh", oauth_timestamp="1280776749", oauth_consumer_key="consumer-key", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_token="access-me", oauth_signature="83ziTTIbrIgoGIjqp541JaFzBms%3D"' -X PUT http://localhost/oauth/a_private_api.php

Expected result:
HTTP/1.1 401 Unauthorized
Date: Wed, 04 Aug 2010 07:36:46 GMT
Server: Apache
Content-Length: 306
Content-Type: text/html; charset=utf-8


Actual result:
HTTP/1.1 401 Unauthorized
Date: Wed, 04 Aug 2010 07:36:46 GMT
Server: Apache
Content-Length: 270
Content-Type: text/html; charset=utf-8



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-15 13:27 UTC]
IIRC, it used to be double encoded but we decided to revert 
the debug SBS back to single encoding because of:


2) Consistency - Google's provider also did not double 
encode the debug SBS...that may have changed in which we can 
re-visit the issue.

- JJ
 [2011-01-16 14:37 UTC] php+bugs at dmi dot me dot uk
As far as the ProblemReporting spec goes, I don't see any 
mention of "debug_sbs" (or signature base string) at all. 
However, it does state that "parameter values are percent-
encoded". In the examples for "oauth_paramenters_absent" and 
"oauth_parameters_rejected", it explicitly states that their 
values are double-encoded, so it is a reasonable assumption 
that debug_sbs should be.

Aside from that, not double-encoding debug_sbs makes it much 
more difficult to parse. I would therefore argue that it is 
a bug that should be addressed.
 [2011-01-16 17:07 UTC]
Yes, I agree that is more difficult to work with if it is not 
double encoded. I'm okay with changing it; Rasmus, Felipe, 
Tjerk any objections?

- JJ
 [2011-01-16 19:47 UTC]
Ok with me.
 [2013-09-12 22:30 UTC] tim at timlytle dot net
Here's a userland fix:

$headers = OAuthProvider::reportProblem($e, false);
if(strpos($headers, 'debug_sbs') !== false){
    $parts = explode('&', $headers, 2);
    array_walk($parts, function(&$value){
        $value = str_replace('&', '%26', $value);
    $headers = implode('&', $parts);
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat May 18 01:01:33 2024 UTC