parameters in http_url incorrectly handled in Request.from_request() #21

Open
rogerm opened this Issue Aug 9, 2010 · 3 comments

Projects

None yet

4 participants

@rogerm
rogerm commented Aug 9, 2010

When the http_url parameter is parsed to see if it contains any params, the paramsaren't removed from the url after being added to the parameters variable. Request.get_normalized_parameters() also parses the raw url (why?) when constructing the cignaturebasestring. The combination of these actions is that parameters coming from http_url get included twice in the signature base string.

Fix:

  • in from_request, after parsing http_url: http_url = http_url.split('?',1)[0]

It's not clear that you need or want to parse the original url again in get_normalized_parameters, it would be cleaner is all constructors and factories ensured that parameters get extracted on creation so you can just use the reqeust dictionary and the normalized url.

@amrox
amrox commented Jan 27, 2012

I just ran into this issue myself. Is there some reasoning behind the behavior or is it a bug?

@maxcountryman

I have a similar issue in Request.from_consumer_and_token. Apparently when a URL redirects the request method is invoked twice this means that parameters are copied twice and the URL is signed twice.

Ad hoc fixes (this may break other functionality):

In the Client.request method:

    if 'oauth_token' not in uri:
        req.sign_request(self.method, self.consumer, self.token)

In the Request.from_consumer_and_token method:

    defaults.update(parameters)
    parameters = defaults
    if http_url is not None and '?' in http_url:
        parameters = {}
@maxcountryman maxcountryman added a commit to maxcountryman/python-oauth2 that referenced this issue Jan 30, 2012
@maxcountryman maxcountryman fixes a problem where redirecting URLs would be populated with twice …
…their original number of parameters, see #21
5882195
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment