PHP :: Bug #64970 :: DELETE / PUT params are not included in the signature on the provider side

Bug #64970

DELETE / PUT params are not included in the signature on the provider side

Submitted:

2013-06-04 14:04 UTC

Modified:

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

alexandru dot fluerici at yahoo dot com

Assigned:

Status:

Open

Package:

oauth (PECL)

PHP Version:

5.4.15

OS:

ubuntu

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	alexandru dot fluerici at yahoo dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-06-04 14:04 UTC] alexandru dot fluerici at yahoo dot com

Description:
------------
When trying to make a request with the PUT or DELETE action the extra parameters sent in the body are not being included on the signature process on the server.

Test script:
---------------
$oauth = new OAuth("9538568fb3756eeff20e71c0e9b62f7cd11b2656","34aa6f4f51d53212b34df53c316645bd2cab4edf",OAUTH_SIG_METHOD_HMACSHA1,OAUTH_AUTH_TYPE_AUTHORIZATION);

	$x = array(1,2,3 => array(1,2,3 => array(1,2,3)));

	$data = array('data' => json_encode($x)); 

	$oauth->fetch("http://api.alex.espressonew.com/index/index",$data,OAUTH_HTTP_METHOD_PUT);

Expected result:
----------------
The signature should be valid

Actual result:
--------------
The server response 

oauth_problem=signature_invalid&debug_sbs=PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

The debug info from the client

PUT&http%3A%2F%2Fapi.alex.espressonew.com%2Findex%2Findex&data%3D%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%257B%25220%2522%253A1%252C%25221%2522%253A2%252C%25223%2522%253A%255B1%252C2%252C3%255D%257D%257D%26oauth_consumer_key%3D9538568fb3756eeff20e71c0e9b62f7cd11b2656%26oauth_nonce%3D100529351351adf305966404.17335333%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1370354437%26oauth_version%3D1.0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-05 10:11 UTC] alexandru dot fluerici at yahoo dot com

So, after more testing it seems that the problem resides in the client code.

The HTTP RFC http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 
states the following for both PUT and DELETE:

The PUT / DELETE method requests that the enclosed entity be stored under the supplied Request-URI.


So my guess is the problem is with the client not appending the PUT / DELETE into the Request URI, instead putting it into the body.

[2021-02-13 12:08 UTC] berestnevao27 at gmail dot com

Thanks for the info i will try to figure it out for more      


https://www.indigocard.one/

[2022-01-15 12:17 UTC] nancychandler340 at gmail dot com

That's great. I was impressed by your writing. I am happy to see such a topic. Please come to my blog and read it.
https://www.myfeedbackcard.com/myindigocard/

[2022-01-19 07:18 UTC] umair dot riaz at ditrc dot com

https://irescopk.com/services/recruitment-agencies-in-pakistan-for-saudi-arabia/

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 12:01:27 2024 UTC