| Subject: | Incorrect request param normalization. Potential patch for Net::OAuth::Message::gather_message_parameters |
| Date: | Thu, 20 Feb 2014 10:16:29 -0500 |
| To: | bug-Net-OAuth [...] rt.cpan.org |
| From: | Juan Camacho <juan [...] camachofamily.com> |
The following code generates an incorrect signature:
my %args = (
consumer_key => 'trial',
consumer_secret => 'trial',
request_url => $uri,
request_method => 'GET',
signature_method => 'HMAC-SHA1',
timestamp => time,
nonce => int(rand(99999999)),
extra_params => {param => 'foo', param2 => 'bar'},
);
my $request = Net::OAuth->request('consumer')->new(%args);
The normalized param ends up encrypting a version of the string where ‘param2' is before ‘param’.
my @pairs = ('param=foo', 'param2=bar');
print Dumper([sort @pairs]); # $VAR1 = [ 'param2=bar', 'param=foo’ ];
The following is a potential patch.
--- /home/twst/tmp/Message.pm 2014-02-20 09:25:32.000000000 -0500
+++ /home/twst/perl5/lib/perl5/Net/OAuth/Message.pm 2014-02-20 09:28:48.000000000 -0500
@@ -146,10 +146,11 @@
return \%params;
}
my @pairs;
- while (my ($k,$v) = each %params) {
+ foreach my $k (sort keys %params) {
+ my $v = $params{$k};
push @pairs, join('=', encode($k), $opts{quote} . encode($v) . $opts{quote});
}
- return sort(@pairs);
+ return @pairs;
}
Note: The above doesn’t sort both the key and values as per the OAuth standard (http://oauth.net/core/1.0a/#sig_norm_param) but I can't see how to generate a request for multiple values on the same key (e.g. a=1&a=2) via Net::OAuth. If there is or if it’s later introduced, the above will not work.
Juan Camacho