php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68416 OAuth PLAINTEXT signature: nonce and timestamp required
Submitted: 2014-11-13 21:51 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: cweiske@php.net Assigned:
Status: Open Package: oauth (PECL)
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-11-13 21:51 UTC] cweiske@php.net
Description:
------------
OAuthProvider requires the request parameters oauth_nonce and oauth_timestamp even if the signature method is PLAINTEXT. You will get the following exception when one of the parameters is missing:

> Uncaught exception 'OAuthException' with message 'Missing required parameters'

RFC 5849 section 3.1[1] says the contrary:

oauth_timestamp
 The timestamp value as defined in Section 3.3.  The parameter
 MAY be omitted when using the "PLAINTEXT" signature method.

oauth_nonce
 The nonce value as defined in Section 3.3.  The parameter MAY
 be omitted when using the "PLAINTEXT" signature method.

[1] http://tools.ietf.org/html/rfc5849#section-3.1

The attached test script demonstrates the problem. When oauth_nonce and oauth_timestamp are re-added to the params array, all is fine. If they are removed, OAuthProvider throws an exception - which it should not


Test script:
---------------
<?php
$params = array(
    'oauth_consumer_key' => 'anyone',
    'oauth_callback'     => 'http://example.org/',
    'oauth_signature_method' => 'PLAINTEXT',
    'oauth_signature' => 'secret&',
    //'oauth_nonce' => '',
    //'oauth_timestamp' => '',
);
function allfine()
{
    return OAUTH_OK;
}
function lookupConsumer($prov)
{
    $prov->consumer_secret = 'secret';
    return OAUTH_OK;
}
$prov = new OAuthProvider($params);
$prov->isRequestTokenEndpoint(true);
$prov->consumerHandler('lookupConsumer');
$prov->timestampNonceHandler('allfine');
$prov->tokenHandler('allfine');
$prov->checkOAuthRequest('http://example.com/', 'POST');
//no exception here
?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 11:01:24 2019 UTC