You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Brian Eaton (JIRA)" <ji...@apache.org> on 2008/04/25 06:25:59 UTC
[jira] Created: (SHINDIG-211) signed fetcher too paranoid
signed fetcher too paranoid
---------------------------
Key: SHINDIG-211
URL: https://issues.apache.org/jira/browse/SHINDIG-211
Project: Shindig
Issue Type: Bug
Reporter: Brian Eaton
Attachments: signed-fetch-legal-chars.patch
Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.
Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.
Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).
I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.
Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail. Early/obvious failures are better than late/subtle ones.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Created: (SHINDIG-211) signed fetcher too paranoid
Posted by Brian Eaton <be...@google.com>.
Yes.
On Fri, Apr 25, 2008 at 10:11 AM, Arne Roomann-Kurrik <ku...@google.com> wrote:
> This seems like it would address
> http://code.google.com/p/opensocial-resources/issues/detail?id=136 (Signature
> error, Orkut dropping params with square brackets and parens). Is that a
> correct assessment?
>
> ~Arne
>
Re: [jira] Created: (SHINDIG-211) signed fetcher too paranoid
Posted by Arne Roomann-Kurrik <ku...@google.com>.
This seems like it would address
http://code.google.com/p/opensocial-resources/issues/detail?id=136 (Signature
error, Orkut dropping params with square brackets and parens). Is that a
correct assessment?
~Arne
[jira] Updated: (SHINDIG-211) signed fetcher too paranoid
Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brian Eaton updated SHINDIG-211:
--------------------------------
Attachment: signed-fetch-legal-chars.patch
> signed fetcher too paranoid
> ---------------------------
>
> Key: SHINDIG-211
> URL: https://issues.apache.org/jira/browse/SHINDIG-211
> Project: Shindig
> Issue Type: Bug
> Reporter: Brian Eaton
> Attachments: signed-fetch-legal-chars.patch
>
>
> Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.
> Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.
> Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).
> I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.
> Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail. Early/obvious failures are better than late/subtle ones.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SHINDIG-211) signed fetcher too paranoid
Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Brown closed SHINDIG-211.
-------------------------------
Resolution: Fixed
Applied. Thank you!
> signed fetcher too paranoid
> ---------------------------
>
> Key: SHINDIG-211
> URL: https://issues.apache.org/jira/browse/SHINDIG-211
> Project: Shindig
> Issue Type: Bug
> Reporter: Brian Eaton
> Attachments: signed-fetch-legal-chars.patch
>
>
> Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.
> Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.
> Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).
> I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.
> Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail. Early/obvious failures are better than late/subtle ones.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.