[oauth] Re: Signing PUT request

[Eran Hammer-Lahav]

OAuth Core 1.0 (or a) does *not* include PUT body parameters in the signature 
base string. That is a bug which I already fixed a while back in the very first 
I-D:

   o  Removed restriction of only signing application/
      x-www-form-urlencoded in POST requests, allowing the entity-body
      to be used with all HTTP request methods.

The current IETF version is all inclusive:

---
   The request parameters, which include both protocol parameters and
   request-specific parameters, are extracted and restored to their
   original unencoded form, from the following sources:

   o  The OAuth HTTP Authorization header (Section 7.1).  The "realm"
      parameter MUST be excluded if present.

   o  The HTTP request entity-body, but only if:

      *  The entity-body is single-part.

      *  The entity-body follows the encoding requirements of the
         "application/x-www-form-urlencoded" content-type as defined by
         [W3C.REC-html40-19980424].

      *  The HTTP request entity-header includes the "Content-Type"
         header set to "application/x-www-form-urlencoded".

   o  The query component of the HTTP request URI as defined by
      [RFC3986] section 3.

   The "oauth_signature" parameter MUST be excluded if present.
---

Too bad very few people actually bother to read the IETF drafts and provide 
feedback. For the record, I had to restrain myself in that last sentence from 
using offensive language.

EHL

> -----Original Message-----
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Hannes Tydén
> Sent: Wednesday, September 16, 2009 5:31 PM
> To: OAuth
> Subject: [oauth] Re: Signing PUT request
> 
> 
> On Sep 17, 1:12 am, Hans Granqvist <h...@granqvist.com> wrote:
> 
> > seems to leave PUT requests with form-encoded name/value pairs in a
> > bad spot, not covered by the core spec (which only deals with POSTs),
> > nor covered by the body hash spec.
> 
> I will rephrase my initial question:
> Is it true that the base string for "application/x-www-form-
> urlencoded" PUT requests should not contain the parameters in the
> request body according to the 1.0 core specification?
> 
> Section "9.1.1 Normalize Request Parameters" (http://oauth.net/core/
> 1.0#anchor14) says:
> "Parameters in the HTTP POST request body (with a content-type of
> application/x-www-form-urlencoded)."
> 
> If "HTTP POST request body" should be interpreted as "the request body
> if it is a POST request", "application/x-www-form-urlencoded" PUT
> requests are wide open for man-in-the-middle attacks.
> 
> If it should be interpreted as "the request body of any kind of
> request", I'm fine with this and we could move along.
> 
> In any case the wording is too ambiguous, leaving room for
> interpretation. I'd suggest that an amendment should be done to the
> specification.
> 

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---