Skip Menu |

This queue is for tickets about the Net-OAuth CPAN distribution.

Report information
The Basics
Id: 60154
Status: new
Priority: 0/
Queue: Net-OAuth
People
Owner: Nobody in particular
Requestors: alasdair.mcintyre [...] lovefilm.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Aug 06 17:46:47 2010 alasdair.mcintyre [...] lovefilm.com - Ticket created
Subject: Repeated parameters incorrectly handled
Date: Fri, 6 Aug 2010 22:46:27 +0100
To: <bug-Net-OAuth [...] rt.cpan.org>
From: "Alasdair McIntyre" <alasdair.mcintyre [...] lovefilm.com>
Distribution: Net-OAuth-0.27 URIs with repeated query parameters are mishandled. Example code: #!/usr/bin/perl use Net::OAuth; my $request = Net::OAuth->request("consumer")->new( consumer_key => 'dpf43f3p2l4k3l03', consumer_secret => 'kd94hf93k423kf44', request_url => 'https://photos.example.net/example?xyz=1&xyz=2', request_method => 'POST', signature_method => 'HMAC-SHA1', timestamp => '1191242090', nonce => 'hsu94j3884jdopsl', ); $request->sign; print $request->to_url, "\n"; Actual output: https://photos.example.net/example ?oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_nonce=hsu94j3884jdopsl &oauth_signature=TiBfujKj8lqfSb4z09cCA0rgF3M%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1281130089 &oauth_version=1.0 &xyz=1 Expected output: https://photos.example.net/example ?oauth_consumer_key=dpf43f3p2l4k3l03 &oauth_nonce=hsu94j3884jdopsl &oauth_signature=nHAFXgbGExTUON4dGLYmQVJO9CE%3D &oauth_signature_method=HMAC-SHA1 &oauth_timestamp=1281130089 &oauth_version=1.0 &xyz=1 &xyz=2 This flaw is also present if a duplicate parameter is supplied via extra_params. The library is also unable to correct verify the signatures on incoming requests if any duplicate parameters are present, either as URI parameters, or POST parameters. See http://tools.ietf.org/html/rfc5849, section 3.4.1.3.2. Parameters Normalization: 2. The parameters are sorted by name, using ascending byte value ordering. If two or more parameters share the same name, they are sorted by their value. ----------------------------------------------------------------------------------------------------------------------------------------- LOVEFiLM UK Limited is a company registered in England and Wales. Registered Number: 06528297. Registered Office: No.9, 6 Portal Way, London W3 6RU, United Kingdom. This e-mail is confidential to the ordinary user of the e-mail address to which it was addressed. If you have received it in error, please delete it from your system and notify the sender immediately. This email message has been delivered safely and archived online by Mimecast. For more information please visit http://www.mimecast.co.uk -----------------------------------------------------------------------------------------------------------------------------------------