This post is geared toward Perl implementations of OAuth, though it
may shed some light on recent URI escape problems in other languages
as well.
use Encode qw(encode);
use URI::Escape;
I previously had been escaping my parameters with a call such as:
my $value = uri_escape(encode("UTF-8",$param));
The encode() call was encoding the $param as UTF-8 octets before
percent encoding with uri_escape().
The use of uri_escape() above is NOT correct to meet the requirements
of the OAuth spec. The following is the explanation and fix:
# OAUTH spec URI encoding
# =========================
#
# http://oauth.net/core/1.0a#encoding_parameters
# with reference to
# http://tools.ietf.org/html/rfc3986#section-2.3
#
# 5.1. Parameter Encoding
#
# All parameter names and values are escaped using the [RFC3986]
# percent-encoding (%xx) mechanism. Characters not in the
unreserved character
# set MUST be encoded. Characters in the unreserved character
# set MUST NOT be encoded. Hexadecimal characters in encodings
MUST be upper case.
# Text names and values MUST be encoded as UTF-8 octets before
percent-encoding
# them per [RFC3629]
#
# unreserved = ALPHA, DIGIT, '-', '.', '_', '~'
#
#
# URI::Escape
# =============
# http://search.cpan.org/~gaas/URI-1.38/URI/Escape.pm
# uri_escape() by default encodes
# "^A-Za-z0-9\-_.!~*'()"
#
# We must subtract from this the reserved characters: ! * ' ( )
# "^A-Za-z0-9\-_.~"
#
The correct assignment in Perl is thus:
my $value = uri_escape(encode("UTF-8",$param),"^A-Za-z0-9\-_.~");
I've tested this and it fixed the problems I was having sending
characters "! " "*" etc.
I suspect percent encoding in other languages may need a similar
implementation.
- Scott
@scott_carter
http://www.bigtweet.com/
