parameters in http_url incorrectly handled in Request.from_request() #21

rogerm opened this Issue Aug 9, 2010 · 3 comments


None yet

4 participants

rogerm commented Aug 9, 2010

When the http_url parameter is parsed to see if it contains any params, the paramsaren't removed from the url after being added to the parameters variable. Request.get_normalized_parameters() also parses the raw url (why?) when constructing the cignaturebasestring. The combination of these actions is that parameters coming from http_url get included twice in the signature base string.


  • in from_request, after parsing http_url: http_url = http_url.split('?',1)[0]

It's not clear that you need or want to parse the original url again in get_normalized_parameters, it would be cleaner is all constructors and factories ensured that parameters get extracted on creation so you can just use the reqeust dictionary and the normalized url.

amrox commented Jan 27, 2012

I just ran into this issue myself. Is there some reasoning behind the behavior or is it a bug?


I have a similar issue in Request.from_consumer_and_token. Apparently when a URL redirects the request method is invoked twice this means that parameters are copied twice and the URL is signed twice.

Ad hoc fixes (this may break other functionality):

In the Client.request method:

    if 'oauth_token' not in uri:
        req.sign_request(self.method, self.consumer, self.token)

In the Request.from_consumer_and_token method:

    parameters = defaults
    if http_url is not None and '?' in http_url:
        parameters = {}
@maxcountryman maxcountryman added a commit to maxcountryman/python-oauth2 that referenced this issue Jan 30, 2012
@maxcountryman maxcountryman fixes a problem where redirecting URLs would be populated with twice …
…their original number of parameters, see #21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment