You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Henry Saputra (JIRA)" <ji...@apache.org> on 2010/05/03 20:09:58 UTC
[jira] Created: (SHINDIG-1322) Add space to the allowed param name
for OAuthRequest.allowParam
Add space to the allowed param name for OAuthRequest.allowParam
----------------------------------------------------------------
Key: SHINDIG-1322
URL: https://issues.apache.org/jira/browse/SHINDIG-1322
Project: Shindig
Issue Type: Bug
Components: Java
Affects Versions: 1.1-BETA5
Reporter: Henry Saputra
Priority: Minor
Attachments: addSapcetoallowedParams.patch
The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
So if space is in the query parameter name is encoded correctly with "+"
or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
Hence the param name "submit job" which will cause it to fail pattern match.
This query parameter name (with space) is legal since it will be later
be encoded when signing the OAuthRequest inside
OAuthSignature.getBaseString.
Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
Please review this at http://codereview.appspot.com/991045/show
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (SHINDIG-1322) Add space to the allowed param name
for OAuthRequest.allowParam
Posted by "Henry Saputra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henry Saputra resolved SHINDIG-1322.
------------------------------------
Fix Version/s: 1.1-BETA6
Resolution: Fixed
> Add space to the allowed param name for OAuthRequest.allowParam
> ----------------------------------------------------------------
>
> Key: SHINDIG-1322
> URL: https://issues.apache.org/jira/browse/SHINDIG-1322
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Affects Versions: 1.1-BETA5
> Reporter: Henry Saputra
> Priority: Minor
> Fix For: 1.1-BETA6
>
> Attachments: addSapcetoallowedParams.patch
>
>
> The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
> So if space is in the query parameter name is encoded correctly with "+"
> or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
> params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
> Hence the param name "submit job" which will cause it to fail pattern match.
> This query parameter name (with space) is legal since it will be later
> be encoded when signing the OAuthRequest inside
> OAuthSignature.getBaseString.
> Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
> Please review this at http://codereview.appspot.com/991045/show
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-1322) Add space to the allowed param name
for OAuthRequest.allowParam
Posted by "Henry Saputra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henry Saputra updated SHINDIG-1322:
-----------------------------------
Attachment: addSapcetoallowedParams.patch
Proposed fix for Shindig-1322
> Add space to the allowed param name for OAuthRequest.allowParam
> ----------------------------------------------------------------
>
> Key: SHINDIG-1322
> URL: https://issues.apache.org/jira/browse/SHINDIG-1322
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Affects Versions: 1.1-BETA5
> Reporter: Henry Saputra
> Priority: Minor
> Attachments: addSapcetoallowedParams.patch
>
>
> The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
> So if space is in the query parameter name is encoded correctly with "+"
> or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
> params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
> Hence the param name "submit job" which will cause it to fail pattern match.
> This query parameter name (with space) is legal since it will be later
> be encoded when signing the OAuthRequest inside
> OAuthSignature.getBaseString.
> Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
> Please review this at http://codereview.appspot.com/991045/show
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.