You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@shindig.apache.org by "Henry Saputra (JIRA)" <ji...@apache.org> on 2010/05/03 20:09:58 UTC

[jira] Created: (SHINDIG-1322) Add space to the allowed param name for OAuthRequest.allowParam

Add space to the allowed param name for OAuthRequest.allowParam 
----------------------------------------------------------------

                 Key: SHINDIG-1322
                 URL: https://issues.apache.org/jira/browse/SHINDIG-1322
             Project: Shindig
          Issue Type: Bug
          Components: Java
    Affects Versions: 1.1-BETA5
            Reporter: Henry Saputra
            Priority: Minor
         Attachments: addSapcetoallowedParams.patch

The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().

So if space is in the query parameter name is encoded correctly with "+"
or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
Hence the param name "submit job" which will cause it to fail pattern match.

This query parameter name (with space) is legal since it will be later
be encoded when signing the OAuthRequest inside
OAuthSignature.getBaseString.

Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.

Please review this at http://codereview.appspot.com/991045/show

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (SHINDIG-1322) Add space to the allowed param name for OAuthRequest.allowParam

Posted by "Henry Saputra (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Henry Saputra resolved SHINDIG-1322.
------------------------------------

    Fix Version/s: 1.1-BETA6
       Resolution: Fixed

> Add space to the allowed param name for OAuthRequest.allowParam 
> ----------------------------------------------------------------
>
>                 Key: SHINDIG-1322
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1322
>             Project: Shindig
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: 1.1-BETA5
>            Reporter: Henry Saputra
>            Priority: Minor
>             Fix For: 1.1-BETA6
>
>         Attachments: addSapcetoallowedParams.patch
>
>
> The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
> So if space is in the query parameter name is encoded correctly with "+"
> or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
> params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
> Hence the param name "submit job" which will cause it to fail pattern match.
> This query parameter name (with space) is legal since it will be later
> be encoded when signing the OAuthRequest inside
> OAuthSignature.getBaseString.
> Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
> Please review this at http://codereview.appspot.com/991045/show

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SHINDIG-1322) Add space to the allowed param name for OAuthRequest.allowParam

Posted by "Henry Saputra (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Henry Saputra updated SHINDIG-1322:
-----------------------------------

    Attachment: addSapcetoallowedParams.patch

Proposed fix for Shindig-1322

> Add space to the allowed param name for OAuthRequest.allowParam 
> ----------------------------------------------------------------
>
>                 Key: SHINDIG-1322
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1322
>             Project: Shindig
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: 1.1-BETA5
>            Reporter: Henry Saputra
>            Priority: Minor
>         Attachments: addSapcetoallowedParams.patch
>
>
> The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
> So if space is in the query parameter name is encoded correctly with "+"
> or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
> params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
> Hence the param name "submit job" which will cause it to fail pattern match.
> This query parameter name (with space) is legal since it will be later
> be encoded when signing the OAuthRequest inside
> OAuthSignature.getBaseString.
> Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
> Please review this at http://codereview.appspot.com/991045/show

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.