You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Henry Saputra (JIRA)" <ji...@apache.org> on 2010/05/03 20:10:03 UTC
[jira] Updated: (SHINDIG-1322) Add space to the allowed param name
for OAuthRequest.allowParam
[ https://issues.apache.org/jira/browse/SHINDIG-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henry Saputra updated SHINDIG-1322:
-----------------------------------
Attachment: addSapcetoallowedParams.patch
Proposed fix for Shindig-1322
> Add space to the allowed param name for OAuthRequest.allowParam
> ----------------------------------------------------------------
>
> Key: SHINDIG-1322
> URL: https://issues.apache.org/jira/browse/SHINDIG-1322
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Affects Versions: 1.1-BETA5
> Reporter: Henry Saputra
> Priority: Minor
> Attachments: addSapcetoallowedParams.patch
>
>
> The ALLOWED_PARAM_NAME used in OAuthRequest.allowParam to validate param names for decoded parameter name from call to Oauth.decodeForm().
> So if space is in the query parameter name is encoded correctly with "+"
> or "%20", eg: submit+job", the call to OAuth.sanitize(List<Parameter>
> params) will be decoded by OAuth.decodeForm method before being check by OAuthRequest.checkParam.
> Hence the param name "submit job" which will cause it to fail pattern match.
> This query parameter name (with space) is legal since it will be later
> be encoded when signing the OAuthRequest inside
> OAuthSignature.getBaseString.
> Adding space as allowed character in the OAuthRequest.ALLOWED_PARAM_NAME to fix this.
> Please review this at http://codereview.appspot.com/991045/show
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.