You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Brian Eaton (JIRA)" <ji...@apache.org> on 2008/04/25 06:25:59 UTC

[jira] Created: (SHINDIG-211) signed fetcher too paranoid

signed fetcher too paranoid
---------------------------

                 Key: SHINDIG-211
                 URL: https://issues.apache.org/jira/browse/SHINDIG-211
             Project: Shindig
          Issue Type: Bug
            Reporter: Brian Eaton
         Attachments: signed-fetch-legal-chars.patch

Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.

Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.

Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).

I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.

Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail.  Early/obvious failures are better than late/subtle ones.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: [jira] Created: (SHINDIG-211) signed fetcher too paranoid

Posted by Brian Eaton <be...@google.com>.

Yes.

On Fri, Apr 25, 2008 at 10:11 AM, Arne Roomann-Kurrik <ku...@google.com> wrote:
> This seems like it would address
>  http://code.google.com/p/opensocial-resources/issues/detail?id=136 (Signature
>  error, Orkut dropping params with square brackets and parens).  Is that a
>  correct assessment?
>
>  ~Arne
>

Re: [jira] Created: (SHINDIG-211) signed fetcher too paranoid

Posted by Arne Roomann-Kurrik <ku...@google.com>.

This seems like it would address
http://code.google.com/p/opensocial-resources/issues/detail?id=136 (Signature
error, Orkut dropping params with square brackets and parens).  Is that a
correct assessment?

~Arne

[jira] Updated: (SHINDIG-211) signed fetcher too paranoid

Posted by "Brian Eaton (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Eaton updated SHINDIG-211:
--------------------------------

    Attachment: signed-fetch-legal-chars.patch

> signed fetcher too paranoid
> ---------------------------
>
>                 Key: SHINDIG-211
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-211
>             Project: Shindig
>          Issue Type: Bug
>            Reporter: Brian Eaton
>         Attachments: signed-fetch-legal-chars.patch
>
>
> Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.
> Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.
> Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).
> I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.
> Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail.  Early/obvious failures are better than late/subtle ones.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (SHINDIG-211) signed fetcher too paranoid

Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-211?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Brown closed SHINDIG-211.
-------------------------------

    Resolution: Fixed

Applied. Thank you!

> signed fetcher too paranoid
> ---------------------------
>
>                 Key: SHINDIG-211
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-211
>             Project: Shindig
>          Issue Type: Bug
>            Reporter: Brian Eaton
>         Attachments: signed-fetch-legal-chars.patch
>
>
> Symptom: somebody complains that their makeRequest doesn't verify properly or that parameters are missing.
> Root cause: SigningFetcher is overly paranoid about signing parameters with weird characters in the names.
> Source of confusion: Instead of throwing an exception when it can't sign a message, SigningFetcher either removes the invalid parameter entirely (query string) or leaves the parameter out of the signature base string (post body).
> I've made SigningFetcher less paranoid, and also made it throw exceptions early on if a request contains invalid query or post parameters.
> Some subset of requests that used to "work" with invalid signatures or missing parameters will now fail.  Early/obvious failures are better than late/subtle ones.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.