php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59623 fetch() ignoring request method
Submitted: 2011-02-14 16:52 UTC Modified: 2011-06-27 19:57 UTC
From: stephan at osm-tools dot org Assigned:
Status: Closed Package: oauth (PECL)
PHP Version: 5.3.3 OS: Debian Squeeze
Private report: No CVE-ID: None
 [2011-02-14 16:52 UTC] stephan at osm-tools dot org
Description:
------------
The behavior of fetch() changed from 0.99.9 to 1.1.0.

I had my oauth constructed with OAUTH_AUTH_TYPE_URI based on some sample code.
When issuing the fetch method I specify the http method PUT.
Worked fine with 0.99.9. 

With 1.1.0 this changed:
oauth is ignoring the PUT method and silently replacing it with GET.
This happens in the source inside oauth_get_http_method()

So basically with a AuthType set to URI or FORM the request method parameter is ignored

In case this is intended behavior please document this with the fetch() method, a notice/waring in the log would also be great.



Reproduce code:
---------------
$oauth = new OAuth($conskey,$conssec,OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_URI);
$oauth->enableDebug();
$oauth->setToken($_SESSION['token'],$_SESSION['secret']);
   
$ret = $oauth->fetch($api_url, '', OAUTH_HTTP_METHOD_PUT);


Expected result:
----------------
expect to use the specified method PUT. If this is wrong usage I expect an adapted documentation and notice in the log

Actual result:
--------------
GET method used

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-15 01:21 UTC] jawed@php.net
That's not expected behavior. It's definitely a bug.

- JJ
 [2011-02-15 01:35 UTC] jawed@php.net
Can you try trunk? TIA.

- JJ
 [2011-02-15 17:49 UTC] stephan at osm-tools dot org
I reviewed your code change. It would change nothing as in my reproduction code the authType is URI thus having your code set the method to GET.
It would fix the problem in case of type FORM.

The oAuth documentation linked from oauth.net suggests that it's allowed to pass the parameter also as URI.
As it worked in the past it should be fine to do this also with HTTP PUT.

from:
http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/

OAuth does not directly specify how the request itself should be made and how the parameters should be delivered. But since it explicitly defines which parameters are included in the signature for verification by the Service Provider, it implicitly defines where parameters should be included in the request. OAuth Parameters can be included in either one (even simultaneously) of three locations: the URL query element (as defined by RFC 3986 section 3), the OAuth 'Authorization' header (per section 5.4.1), or in a single-part 'application/x-www-form-urlencoded' POST body (as defined by HTML4).
 [2011-02-15 19:37 UTC] datibbaw@php.net
I've got an alternative fix for this but it was breaking a few 
test cases, so I have to review the behavior again ;-)

Basically it means that the method used should not interfere 
with the auth type, unless they conflict (ie. using GET with 
Form auth)
 [2011-05-20 14:26 UTC] brianm at dealnews dot com
We are seeing the same issue. Twitter is rejecting status updates from pecl/oauth because they are not POST requests.
 [2011-05-28 10:42 UTC] dom at newscookie dot com
I'm having the exactly same issue as brianm over here...
 [2011-05-28 12:29 UTC] jawed@php.net
Sorry about the delay here. I'm also a bit puzzled about what the optimal 
interaction should be here so I opt'ed for a "if you set it, you know what 
you're doing" solution.

In trunk, if you pass a HTTP method via fetch() it is set regardless of the 
auth type. Lmk if this works for you guys.

- JJ
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC