Issue 141 in oauth-php: POST data included in signature when content type is "multipart/form-data"

[oaut...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 141 by mat...@gmail.com: POST data included in signature when
content type is "multipart/form-data"
http://code.google.com/p/oauth-php/issues/detail?id=141

What steps will reproduce the problem?
1. Create a post with the content type/encoding "multipart/form-data" with
at least one posted variable
2. Echo the signatureBaseString in the OAuthRequest Library

What is the expected output?
You will see the variable included the signatureBaseString

What do you see instead?
Variables passed via "multipart/form-data", should not be included in the
signatureBaseString.


Reference to the specification: Section 9.1.1. Normalize Request Parameters
of OAuth 1.0a http://oauth.net/core/1.0a/#anchor13

Currently in the code there is a TODO marker for correct handling of the
situation of "multipart/form-data", which does fetch the POST data.

Attached is a minor patch which no longer retrieves the POST data with a
Comment so that it is clear that this behaviour is intentional.

Attachments:
form-data.patch 1.1 KB

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[oaut...@googlecode.com]

Comment #1 on issue 141 by ma...@pobox.com: POST data included in signature

when content type is "multipart/form-data"
http://code.google.com/p/oauth-php/issues/detail?id=141

I see that that behavior was changed at some point, in the code there is a
comment:

> Get the body of a POST with multipart/form-data by Edison tsai on 16:52
> 2010/09/16

The original code was using a separate signature for the request body, per
discussion with Eran et al.
See also https://groups.google.com/forum/#!topic/oauth/rNA2R0ZJQCo
And http://www.marcworrell.com/article-3130-en.html

Maybe you can check the reasons behind Edison Tsai's commit?

[oaut...@googlecode.com]

Comment #2 on issue 141 by mat...@gmail.com: POST data included in

signature when content type is "multipart/form-data"
http://code.google.com/p/oauth-php/issues/detail?id=141

Thanks for finding the previous discussions:

https://groups.google.com/forum/#!topic/oauth/rNA2R0ZJQCo
And http://www.marcworrell.com/article-3130-en.html

However they seem to be about allowing extended signing of body content
above and beyond oauth standard signing. They were implemented in a
separate class OAuthRequestVerifier.php in the verifyExtended method. These
discussions were had in April 2008. The check-in from Edison Tsai seems to
be unrelated to the extended verification.

The check-in looks to be a helpful change from what was there, which just
throw an exception. There doesn't seem to be a lot of information about the
Issue 81 or commit 165. However it does not conform to the specs.

Would you be happy with some sort of flag that would make the behaviour act
as it does currently and then apply the change?

[oaut...@googlecode.com]

Comment #3 on issue 141 by ma...@pobox.com: POST data included in signature

when content type is "multipart/form-data"
http://code.google.com/p/oauth-php/issues/detail?id=141

Sounds good to me. Maybe the best default behavior is to stick with the
specs, and an option to switch to Tsai's additions.

[oaut...@googlecode.com]

Comment #4 on issue 141 by mat...@gmail.com: POST data included in

signature when content type is "multipart/form-data"
http://code.google.com/p/oauth-php/issues/detail?id=141

Finally found time to create the updated patch.

The flag by default is in-line with the spec.

The backwards compatibility maybe enabled by passing to the OAuthServer
options parameter:
array (
'sign_body_of_multipart_request' => true
)

Looking at the code this was the cleanest way I could see that fits with
the coding style/conventions.

Hope this is acceptable


Attachments:
form-data2.patch 2.2 KB