Fixed calls to toLowerCase() to be toLowerCase(Locale.US) instead. #420
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The no-arg method uses Locale.getDefault() internally. On an Android device, this uses the currently active Locale. If the currently active locale happens to be Turkish, then uppercase "I" becomes a non-ASCII unicode character 'LATIN SMALL LETTER DOTLESS I'. This specifically manifested as the header X-Goog-Encode-Response-If-Executable being rejected by the okhttp library because it contained the non-ASCII character. NOTE: this commit was originally written by @stuartfehr
|
(I'll hold off on merging this in until we have finished the release that is in progress) |
chingor13
approved these changes
Jul 19, 2018
chingor13
added
the
do not merge
jeanbza
removed
the
do not merge
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Jan 15, 2021
By default `toLowerCase` uses the device's Locale, which could have unexpected consequences on non-en_US locales. See also googleapis/google-http-java-client#420 (comment). Differential Revision: https://phabricator.services.mozilla.com/D101822
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Jan 16, 2021
By default `toLowerCase` uses the device's Locale, which could have unexpected consequences on non-en_US locales. See also googleapis/google-http-java-client#420 (comment). Differential Revision: https://phabricator.services.mozilla.com/D101822 UltraBlame original commit: 349adceeb04a891d857c07fdbe711c5f4202a42e
clundin25
pushed a commit
to clundin25/google-http-java-client
that referenced
this pull request
Aug 11, 2022
…gleapis#420) * feat: add TokenVerifier class that can verify RS256/ES256 tokens * test: inject HttpTransportFactory for testing * test: inject HttpTransportFactory for testing * fix: use google-http-client for actual signature verification * chore: lint * test: split test into unit and integration Unit tests mock out the http request activity. Integration tests hit the live urls. * chore: lint * fix: return the JsonWebSignature instance on verify * test: remove IT test as the signature keys can/will change over time * docs: add javadoc for TokenVerifier * docs: add guide for verifying tokens in the README * chore: remove auto-value config changes * chore: tense, lower-case first word, no period * chore: run formatter * chore: more javadoc fixes * chore: remove line from README example * sample: add snippet showing check for additional claim * fix: remove default constructor - users should always use builder
clundin25
pushed a commit
to clundin25/google-http-java-client
that referenced
this pull request
Aug 11, 2022
🤖 I have created a release \*beep\* \*boop\* --- ## [0.21.0](https://www.github.com/googleapis/google-auth-library-java/compare/v0.20.0...v0.21.0) (2020-06-24) ### Features * add TokenVerifier class that can verify RS256/ES256 tokens ([googleapis#420](https://www.github.com/googleapis/google-auth-library-java/issues/420)) ([5014ac7](https://www.github.com/googleapis/google-auth-library-java/commit/5014ac72a59d877ef95c616d0b33792b9fc70c25)) ### Dependencies * update autovalue packages to v1.7.2 ([googleapis#429](https://www.github.com/googleapis/google-auth-library-java/issues/429)) ([5758364](https://www.github.com/googleapis/google-auth-library-java/commit/575836405bd5803d6202bd0018609184d6a15831)) * update dependency com.google.http-client:google-http-client-bom to v1.35.0 ([googleapis#427](https://www.github.com/googleapis/google-auth-library-java/issues/427)) ([5494ec0](https://www.github.com/googleapis/google-auth-library-java/commit/5494ec0a73319fb955b3d7ba025aea9607020c4e)) * update Guava to 29.0-android ([googleapis#426](https://www.github.com/googleapis/google-auth-library-java/issues/426)) ([0cd3c2e](https://www.github.com/googleapis/google-auth-library-java/commit/0cd3c2ec0aef3ff0f0379b32f9d05126442219b6)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The no-arg method uses Locale.getDefault() internally. On an Android device, this uses the currently active Locale. If the currently active locale happens to be Turkish, then uppercase "I" becomes a non-ASCII unicode character 'LATIN SMALL LETTER DOTLESS I'.
This specifically manifested as the header X-Goog-Encode-Response-If-Executable being rejected by the okhttp library because it contained the non-ASCII character.
NOTE: this commit was originally written by @stuartfehr