php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62882 provider adds a url= to the signature base string
Submitted: 2012-08-21 17:51 UTC Modified: 2012-08-30 19:35 UTC
From: hans at shapeways dot com Assigned:
Status: Not a bug Package: oauth (PECL)
PHP Version: Irrelevant OS: Ubuntu 11.10
Private report: No CVE-ID: None
 [2012-08-21 17:51 UTC] hans at shapeways dot com
Description:
------------
The 1.2.2 oauth provider *adds* url=someurl to an incoming signature base string if its not there before it signs it and then compares the result with what the consumer sent.

The Oauth libraries' auth_client sends a signature base string without the url part, making the request fail with oauth_problem=signature_invalid . According to rfc5849 I think the consumer is right in not adding the url part to the SBS.

I got the provider to accept a signature base string by crafting the oauth consumer by hand using curl and adding a url= part :

    $oauth = array(
        'oauth_consumer_key' => $consumer_key,
        'oauth_nonce' => time(),
        'oauth_signature_method' => $signature_method,
        'oauth_timestamp' => $timestamp,
        'oauth_version' => '1.0',
        'oauth_callback' => $callback,
        'url' => 'oauth1/request_token');

This works and made me conclude the provider requires the url= part which the libraries Oauth client does not provide.

Test script:
---------------
Here's the relevant library consumer piece :

    $oauth_client = new Oauth($consumer_key, $consumer_secret, OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
    $oauth_client->enableDebug();
    try {
        $info = $oauth_client->getRequestToken("$url, $callback");

The request token provider is from the examples :

        $this->provider->setRequestTokenQuery();
        $this->provider->checkRequest();
        echo $this->provider->generateRequestToken();


Expected result:
----------------
I expect the library Oauth client to be able to talk to the library Oauth provider.

Actual result:
--------------
string(432) "oauth_problem=signature_invalid...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-21 18:55 UTC] jawed@php.net
I don't understand this line:

$info = $oauth_client->getRequestToken("$url, $callback");
 [2012-08-21 18:55 UTC] jawed@php.net
-Status: Open +Status: Feedback
 [2012-08-21 19:31 UTC] hans at shapeways dot com
Right, mispasted. Sorry for that. While debugging i tried both of these :
#        $info = $oauth_client->getRequestToken($url, $callback);
        $info = $oauth_client->getRequestToken("$url?oauth_callback=$callback");
Glad you're looking into this.
 [2012-08-28 13:36 UTC] hans at shapeways dot com
Here's tcpdump output from both the pecl oauth client and the curl client that shows the issue :

# pecl client :

GET /oauth1/request_token HTTP/1.1
User-Agent: PECL-OAuth/1.2.2
Host: testoauthserver:90
Accept: */*
Authorization: OAuth oauth_consumer_key="bb5d781afc99e33d4f7403f531be4286f0206172",oauth_signature_method="HMAC-SHA1",oauth_nonce="380922781503cc7a8358756.40104372",oauth_timestamp="1346160552",oauth_version="1.0",oauth_signature="Ek%2FioCp7UEr9Ri1oigNktQlP%2B8g%3D"

# server response :

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2012 13:26:56 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.8
Vary: Accept-Encoding
Content-Length: 338
Content-Type: text/html

oauth_problem=signature_invalid&debug_sbs=GET&http%3A%2F%2Ftestoauthserver%3A90%2Foauth1%2Frequest_token&oauth_consumer_key%3Dbb5d781afc99e33d4f7403f531be4286f0206172%26oauth_nonce%3D380922781503cc7a8358756.40104372%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1346160552%26oauth_version%3D1.0%26url%3Doauth1%252Frequest_token


# curl client with url= in the signature base string :

GET /oauth1/request_token HTTP/1.1
Host: testoauthserver:90
Accept: */*
Authorization: OAuth oauth_consumer_key="bb5d781afc99e33d4f7403f531be4286f0206172", oauth_nonce="1346160597", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1346160597", oauth_version="1.0", url="oauth1%2Frequest_token", oauth_signature="mhNU%2FAc8deCvH6B39UskXJVAHo8%3D"

# server response :

HTTP/1.1 200 OK
Date: Tue, 28 Aug 2012 13:27:41 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.8
Vary: Accept-Encoding
Content-Length: 217
Content-Type: text/html

authentification_url=http://localhost/OAuthProviderExample/oauth/login.php&oauth_token=4cecaa62dcb1172dc058aaaf2e642bc5a5e6f842&oauth_token_secret=1c79ee2470aea9784daf061779c4b38016d9ae66&oauth_callback_confirmed=true

If I remove the url= part from the curl request it also gets a signature_invalid response.

I hope this helps.
 [2012-08-30 15:52 UTC] hans at shapeways dot com
-Status: Feedback +Status: Closed
 [2012-08-30 15:52 UTC] hans at shapeways dot com
Issue cause found : a 'nice' mode_rewrite rule adding url=xxxx !
In case anyone else runs into this : add something like 
$this->oauth->setParam('url', NULL);
to the Provider constructor to ignore it so your SBS is correct.
 [2012-08-30 19:35 UTC] rasmus@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Aug 14 17:01:26 2020 UTC