You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "Bastian Hofmann (JIRA)" <ji...@apache.org> on 2010/07/27 17:09:18 UTC
[jira] Commented: (SHINDIG-966) token over-decoding
[ https://issues.apache.org/jira/browse/SHINDIG-966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12892812#action_12892812 ]
Bastian Hofmann commented on SHINDIG-966:
-----------------------------------------
We have the same problem with overdecoding of the security token. In order to not brake the makeRequest servlet, the following changes are needed:
--- - 2010-07-27 12:57:13.000000000 +0200
+++ php/src/gadgets/MetadataHandler.php 2010-07-26 08:55:15.000000000 +0200
@@ -53,9 +53,6 @@
return null;
}
}
- if (count(explode(':', $token)) < 7) {
- $token = urldecode(base64_decode($token));
- }
$gadgetSigner = Config::get('security_token_signer');
$gadgetSigner = new $gadgetSigner();
return $gadgetSigner->createToken($token);
--- - 2010-07-27 12:57:57.000000000 +0200
+++ php/src/social/servlet/ApiServlet.php 2010-07-26 08:55:15.000000000 +0200
@@ -131,9 +131,6 @@
return null;
}
}
- if (count(explode(':', $token)) < 7) {
- $token = urldecode(base64_decode($token));
- }
$gadgetSigner = Config::get('security_token_signer');
$gadgetSigner = new $gadgetSigner();
return $gadgetSigner->createToken($token);
--- - 2010-07-27 12:57:08.000000000 +0200
+++ php/src/gadgets/GadgetContext.php 2010-07-26 08:55:15.000000000 +0200
@@ -285,9 +285,6 @@
* @return SecurityToken An object representation of the token data.
*/
public function validateToken($token, $signer) {
- if (count(explode(':', $token)) < 7) {
- $token = urldecode(base64_decode($token));
- }
if (empty($token)) {
throw new Exception("Missing or invalid security token");
}
--- - 2010-07-27 16:50:27.000000000 +0200
+++ php/src/gadgets/MakeRequestOptions.php 2010-07-27 16:42:17.000000000 +0200
@@ -247,7 +247,7 @@
->setOAuthUseToken($request->getParameter('oauth_use_token'))
->setOAuthReceivedCallback($request->getParameter('oauth_received_callback'))
->setOAuthClientState($request->getParameter('oauth_state')) // Not in osapi.http spec, but nice to support
- ->setSecurityTokenString(urlencode(base64_encode($request->getToken()->toSerialForm())));
+ ->setSecurityTokenString($request->getToken()->toSerialForm());
return $options;
}
> token over-decoding
> -------------------
>
> Key: SHINDIG-966
> URL: https://issues.apache.org/jira/browse/SHINDIG-966
> Project: Shindig
> Issue Type: Bug
> Components: PHP
> Affects Versions: 1.1-BETA1
> Reporter: Dmitry Vorobyev
> Assignee: Chris Chabot
>
> ### Eclipse Workspace Patch 1.0
> #P gadget
> Index: http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php
> ===================================================================
> --- http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php (revision 20842)
> +++ http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php (working copy)
> @@ -292,9 +292,6 @@
> if (! isset($token) || $token == '') {
> $token = isset($_POST['st']) ? $_POST['st'] : '';
> }
> - if (count(explode(':', $token)) != 6) {
> - $token = urldecode(base64_decode($token));
> - }
> if (empty($token)) {
> throw new Exception("Missing or invalid security token");
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.