Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brackets escaped wrong in OauthTools.UrlEncodeRelaxed #1104

Closed
mscharrig opened this issue Apr 4, 2018 · 6 comments
Closed

Brackets escaped wrong in OauthTools.UrlEncodeRelaxed #1104

mscharrig opened this issue Apr 4, 2018 · 6 comments

Comments

@mscharrig
Copy link

Expected Behavior

If adding an UrlSegment to a RestRequest with brackets "(" or ")":

OauthTools.UrlEncodeRelaxed(string value) should return:

"...242%2520%252868-7802%2529-2191"

Actual Behavior

Actual returned value is:

"...242%2520%2868-7802%29-2191"

This causes invalid oauth signatures.

Steps to Reproduce the Problem

  1. Adding any UrlSegment that contains brackets
RestRequest request = new RestRequest(...);
request.AddUrlSegment(..., "242 (68-7802)-2191");

Specifications

  • Version: 105.2.3, but I could also reproduce this on the most recent version
  • Platform: Windows 10 - .NET 4.6.1

Workaround

When I change the code to run the for-loop in UrlEncodeRelaxed before doing the Uri escaping, I get the expected behavior.
@alexeyzimarev
Copy link
Member

I think encoding parenthesis is not required at all and may be should be removed?

@alexeyzimarev
Copy link
Member

I see, it is double encoding

@alexeyzimarev
Copy link
Member

In the latest version the output is 242%20%2868-7802%29-2191, which is a single encoding and seems to be right. Correct me if I am wrong.

@mscharrig
Copy link
Author

I still think, that it should get encoded to "242%2520%252868-7802%2529-2191". If we are using "242%20%2868-7802%29-2191" the REST-API, which we are working with, will return an oauth invalid signature exception.

I also did some more testing:

  • .NET 4.0: Uri.EscapeDataString("!*'()") will return "!*'()"
  • .NET 4.5+: Uri.EscapeDataString("!*'()") will always return "%21%2A%27%28%29"

Therefore I changed the code to run the RFC3986 escaping before the Uri.EscapeDataString() call. Since then everything works fine and not a single exception occured.

Other people had problems with this behaviour too:
https://stackoverflow.com/questions/24962514/uri-escapedatastring-weirdness
https://stackoverflow.com/questions/26309731/why-does-uri-escapedatastring-return-a-different-result-on-my-ci-server-compared

@alexeyzimarev
Copy link
Member

Can you explain how request.AddUrlSegment(..., "242 (68-7802)-2191"); is related to OAuth?

@mscharrig
Copy link
Author

Have a look at https://developer.twitter.com/en/docs/basics/authentication/guides/creating-a-signature.html

The UrlSegment is part of the request parameters and therefore also part of the signature base string, which is used to calculate the OAuth signature. A wrong calculated OAuth signature results in an unauthorized OAuth request.

"Make sure to percent encode the parameter string! The signature base string should contain exactly 2 ampersand ‘&’ characters. The percent ‘%’ characters in the parameter string should be encoded as %25 in the signature base string."

That means for example "(" should get first encoded to "%28" and "%" should then get encoded to "%25" resulting in "%2528".

@mscharrig mscharrig mentioned this issue May 17, 2018
Merged
5 tasks
alexeyzimarev added a commit that referenced this issue May 17, 2018
@alexeyzimarev
Merge pull request #1121 from mscharrig/develop
398e546 
Fixes #1104
@mscharrig mscharrig mentioned this issue Jun 8, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexeyzimarev @mscharrig