You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by "Joan Touzet (JIRA)" <ji...@apache.org> on 2011/04/28 20:10:03 UTC
[jira] [Commented] (COUCHDB-1144) oauth requests with
non-percent-encoded realms result in function_clause error in HTTP request
[ https://issues.apache.org/jira/browse/COUCHDB-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13026395#comment-13026395 ]
Joan Touzet commented on COUCHDB-1144:
--------------------------------------
After chatting with davisp in IRC, we agree that the bug is in erlang-oauth/src/oauth_uri.erl . A patch against the 1.1 is attached; it is the oauth_uri.erl from trunk/upstream. Paired code inspection (with davisp) shows no variance in the exported functions, so this is a dropin replacement.
I respectfully request including this in 1.1.0. :)
> oauth requests with non-percent-encoded realms result in function_clause error in HTTP request
> ----------------------------------------------------------------------------------------------
>
> Key: COUCHDB-1144
> URL: https://issues.apache.org/jira/browse/COUCHDB-1144
> Project: CouchDB
> Issue Type: Bug
> Components: HTTP Interface
> Affects Versions: 1.0.2, 1.1
> Environment: OSX - branch 1.1 - r1095237
> Reporter: Joan Touzet
> Priority: Minor
> Attachments: oauth-realm-test.patch, oauth_uri.erl
>
>
> As illustrated in this Wireshark packet dump, lines 53ff, any OAuth request with a non-percent-encoded URL as the realm will return a 500 error:
> http://friendpaste.com/3vXPjHP6s7dLZjsj7DOfSH
> Erlang stacktrace is similar to:
> [error] [<0.189.0>] function_clause error in HTTP request [Wed, 27 Apr 2011 23:31:46 GMT] [info] [<0.189.0>] Stacktrace:
> [{oauth_uri,decode, ["://127.0.0.1:5984","ptth"]},
> {oauth_uri,param_from_header_string,1},
> {oauth_uri,
> '-params_from_header_string/1-lc$^0/1-0-',
> 1},
> {couch_httpd_oauth,serve_oauth,3},
> {couch_httpd,authenticate_request,2},
> {couch_httpd,handle_request_int,5},
> {mochiweb_http,headers,5},
> {proc_lib,init_p_do_apply,3}] [Wed, 27 Apr 2011 23:31:46 GMT] [info] [<0.189.0>] 127.0.0.1 - - 'PUT'
> /test_c_project/16f74c25-d641-4710-8f38-18295a8a69b1 500
> Chatted with benoitc today and he suggested this may be because the realm is not being properly encoded before being passed on.
> By default, some OAuth libraries such as python's popular oauth2 library always set the realm of a request to the URL of the resource being accessed, such as http://localhost:5984/ . (In fact, oauth2 library does not support overriding this setting.) The OAuth spec @ http://oauth.net/core/1.0/ also shows realms specified as URLs. RFC5849 states "The OPTIONAL "realm" parameter MAY be added and interpreted per [RFC2617] section 1.2.", which in turn says the realm is any quoted-string.
> It seems that this may already be fixed in trunk simply because trunk has a newer version of the upstream erlang-oauth.
> A JS test could be added in futon to validate this by modifying function oauthRequest to accept a realm parameter, then passing that down to OAuth.getAuthorizationHeader on line 56.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira