php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #65766 Invalid SBS for arrays in query string
Submitted: 2013-09-26 12:29 UTC Modified: 2021-10-19 09:25 UTC
From: m dot kurzyna at crystalpoint dot pl Assigned:
Status: Verified Package: oauth (PECL)
PHP Version: 5.5.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2013-09-26 12:29 UTC] m dot kurzyna at crystalpoint dot pl 
Description:
------------
OAuth extension generates invalid SBS for requests with array params. This happens both with oauth_get_sbs and with OAuthProvider (although results differ).

For oauth_get_sbs() key names are lost when generating SBS. However when setting collapsed param name as string methods yelds correct results:

oauth_get_sbs("GET","http://host/path", [ "include[answers]" => 1  ]));

When using OAuthProvider (with live requests) param name gets encoded twice on the other hand. Also debug_sbs is truncated. I don't know if it's just debug output that is cut or the real base string.

Test script:
---------------
var_dump(
  oauth_get_sbs(
    "GET",
    "http://host/path", 
    [ "name" => [ "key" => "value" ]  ]
  )
);

// also data from real world example with OAuthProvider

Expected result:
----------------
string(57) "GET&http%3A%2F%2Fhost%2Fpath&include%255Banswers%255D%3D1"

// when OAuthProvider receives request (parts removed but same)
// this is from a client sending request (not a PHP Pecl extension)

GET&https%3A%2F%2F....&include%255Banswers%255D%3D1%26oauth_consumer_key....oauth_token%3D9f98c213db%26oauth_version%3D1.0

Actual result:
--------------
string(41) "GET&http%3A%2F%2Fhost%2Fpath&name%3Dvalue"

// when OAuthProvider receives request (parts removed but same)
// this is from debug_sbs returned through OAuthException

GET&https%3A%2F%2F....&include%3D1%26include%255Banswers%255D%3D1%26oauth_consumer_key....oauth_token%3D9f98c213db%26oauth_ver

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-26 12:40 UTC] m dot kurzyna at crystalpoint dot pl 
There is a c&p error in expected result - params are for [ 'include' => [ 'answers' => 1 ] ]. Sorry.

Proper expected:
string(54) "GET&http%3A%2F%2Fhost%2Fpath&name%255Bkey%255D%3Dvalue"
 [2021-10-18 17:11 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-10-18 17:11 UTC] cmb@php.net 
I can confirm the reported behavior with oauth's master branch.
The nested array is sorted[1], and as such the keys are
dropped[2]; that *might* not be regarded as bug, but rather a
limitation, but associating the key of the outer array with the
value of the inner array is definitely a bug.

[1] <https://github.com/php/pecl-web_services-oauth/blob/2.0.7/oauth.c#L519>
[2] <https://3v4l.org/JcgXp>
 [2021-10-19 09:25 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem -Assigned To: cmb +Assigned To:
 [2021-10-19 09:25 UTC] cmb@php.net 
> […], but associating the key of the outer array with the value
> of the inner array is definitely a bug.

No, not really.  PHP is special in how it encodes/decodes array
parameters; the rest of the world does it without brackets.  And
oauth_get_sbs() is supposed to work that way[1].  We need to
document that, though.

[1] <https://github.com/php/pecl-web_services-oauth/blob/2.0.7/tests/oauth_sbs.phpt#L52>
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 02 03:01:28 2025 UTC