On Fri, Apr 4, 2008 at 8:48 AM, Fernando Padilla <[EMAIL PROTECTED]> wrote: > For example; a parameter like this: > > t:formdata=a:a > > was converted into the base string by MySpace like this: > > t%3Aformdata%3Da%253Aa > > I hope this isn't annoying, I just wanted to get the consensus from all > developers involved, on how this should work; so we can patch Shindig or > patch Java OAuth. ( since everyone is backed by Shindig, my guess it's > actually Shindig's OAuth code ).
Great guess. The bug is in SigningFetcher.java, in the function allowParam. Shindig is aggressive about looking for weird characters in parameter names, to avoid cases where people try to sneak things like %6fpensocial_owner_id into signed fetch requests. We can probably make the regex a little bit more liberal to allow the ':' character. Want to prepare a patch? Cheers, Brian
