OAuth 1 Signature is invalid because url's params containtsUnicode simbols

26 views

Skip to first unread message

Alexey Matushevsky

unread,

May 28, 2014, 8:34:48 AM5/28/14

to dotnet...@googlegroups.com

Have found and bug while working with twitter;

Trying to post simple tweet Text + Url -

text with > 嫌 http://google.com

The text contains the japan symbols. this leads to the System.Uri strange behavior - the colons : are not escaped to %3A

text%20with%20%3E%20%E5%AB%8C%20http:%2F%2Fgoogle.com

This what HttpWebRequest sends to twitter

POST https://api.twitter.com/1.1/statuses/update.json?status=text%20with%20%3E%20%E5%AB%8C%20http:%2F%2Fgoogle.com HTTP/1.1

Authorization: OAuth oauth_token="2193937074-cgmZbmJIIb75f7MkQgbdjuvQaen2xzM1WFXXC7G",oauth_consumer_key="XVCgN3fkwzTGgeSm1FBa1Q",oauth_nonce="j56uVn4M",oauth_signature_method="HMAC-SHA1",oauth_signature="sQfBT6%2Fw0wOnmLJqE65auF0j1Iw%3D",oauth_version="1.0",oauth_timestamp="1401279416"

Host: api.twitter.com

Content-Length: 0

Connection: Keep-Alive

Resonse

HTTP/1.1 401 Unauthorized

content-length: 63

content-type: application/json; charset=utf-8

date: Wed, 28 May 2014 12:17:03 UTC

server: tfe

set-cookie: guest_id=v1%3A140127942310556823; Domain=.twitter.com; Path=/; Expires=Fri, 27-May-2016 12:17:03 UTC

strict-transport-security: max-age=631138519

{"errors":[{"message":"Could not authenticate you","code":32}]}

The error mean that the request has wrong signature;

But if we manually change the colon to %3A in Fiddler and resend it via composer the result will successful

POST https://api.twitter.com/1.1/statuses/update.json?status=text%20with%20%3E%20%E5%AB%8C%20http:%2F%2Fgoogle.com HTTP/1.1

Host: api.twitter.com

Content-Length: 0

Connection: Keep-Alive

It seams like the DNOA referring using the System.Uri.AbsoluteUri to create signature and the HttpWebRequest uses the PathAndQuery property.