php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64970 DELETE / PUT params are not included in the signature on the provider side
Submitted: 2013-06-04 14:04 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: alexandru dot fluerici at yahoo dot com Assigned:
Status: Open Package: oauth (PECL)
PHP Version: 5.4.15 OS: ubuntu
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2013-06-04 14:04 UTC] alexandru dot fluerici at yahoo dot com
Description:
------------
When trying to make a request with the PUT or DELETE action the extra parameters sent in the body are not being included on the signature process on the server.

Test script:
---------------
$oauth = new OAuth("9538568fb3756eeff20e71c0e9b62f7cd11b2656","34aa6f4f51d53212b34df53c316645bd2cab4edf",OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_AUTHORIZATION);

	$x = array(1,2,3 => array(1,2,3 => array(1,2,3)));

	$data = array('data' => json_encode($x)); 

	$oauth->fetch("http://api.alex.espressonew.com/index/index",$data,OAUTH_HTTP_METHOD_PUT);

Expected result:
----------------
The signature should be valid

Actual result:
--------------
The server response 

oauth_problem=signature_invalid&debug_sbs=PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

The debug info from the client

PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&data%3D%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%255B1%252C2%252C3%255D%257D%257D%26oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-05 10:11 UTC] alexandru dot fluerici at yahoo dot com
So, after more testing it seems that the problem resides in the client code.

The HTTP RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 
states the following for both PUT and DELETE:

The PUT / DELETE method requests that the enclosed entity be stored under the supplied Request-URI.


So my guess is the problem is with the client not appending the PUT / DELETE into the Request URI, instead putting it into the body.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 13:01:23 2019 UTC