Bug in OAuth key generation for sha1 #263

Merged
merged 1 commit into from Jun 8, 2012

Projects

None yet

2 participants

@nanodocumet
Contributor

Per spec (http://tools.ietf.org/html/rfc5849#section-3.4.2) the consumer_secret (client shared-secret) and token_secret should be encoded before being used as part of the key for sha1.

@mikeal
Member
mikeal commented Jun 8, 2012

are you sure this doesn't double-encode the same value later on?

@nanodocumet
Contributor

99% sure that does not. None of the tests for Oauth include any of the following characters , / ? : @ & = + $ # for the consumer_secret nor the token_secret, and that's probably why it has not found before.

The key is just for the SHA1, the result is the signature. From the spec:

digest: is used to set the value of the "oauth_signature" protocol parameter, after the result octet string is base64-encoded per [RFC2045], Section 6.8.

@mikeal
Member
mikeal commented Jun 8, 2012

ok, merging. i'll keep an eye out for new reported oauth failures just in case.

@mikeal mikeal merged commit 5027141 into request:master Jun 8, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment