Hi,
Since upgrading from 9.3 to 9.7 and then 9.8 I am having problems working with the API from some clients.
The API expects all parameters to be UrlEncoded before the request is signed.
The code in ./api/index.php uses parse_str (line 35) to extract the parameters into variables and then later rebuilds the query string using http_build_query (line 40) before checking it against the signature (line 57).
The problem arises here because the UrlEncoding should be case INsensitve according to the spec, but the re-encoding using http_build_query forces all percent encoded hex characters to uppercase. This then only passes the signature check if the original URL parameters were also in uppercase. Here a / character can be encoded to %2F or %2f legally - but the API only allows the former.
Thus a url like this works:
user=myuser&function=do_search¶m1=up%2Fdown&sign=xxxxx
but this doesn't:
user=myuser&function=do_search¶m1=up%2fdown&sign=yyyyy
and we get Invalid Signature.
The problem is that some implementations of UrlEncode (e.g. System.Web.HttpUtility.UrlEncode in Microsoft .NET) encode hex digits in lower case!
This means that these clients can no longer work with ResourceSpace.
Version 9.3 did not do this decoding and then re-encoding before the signature check and so worked ok with all UrlEncoding implementations in all languages.
Is there a plan to fix this?