I would look at it, but where is this "SigningFetcher" you speak of? :)
I checked out: http://oauth.googlecode.com/svn/code/java
but it's not there.
Brian Eaton wrote:
On Fri, Apr 4, 2008 at 8:48 AM, Fernando Padilla <[EMAIL PROTECTED]> wrote:
For example; a parameter like this:
t:formdata=a:a
was converted into the base string by MySpace like this:
t%3Aformdata%3Da%253Aa
I hope this isn't annoying, I just wanted to get the consensus from all
developers involved, on how this should work; so we can patch Shindig or
patch Java OAuth. ( since everyone is backed by Shindig, my guess it's
actually Shindig's OAuth code ).
Great guess. The bug is in SigningFetcher.java, in the function
allowParam. Shindig is aggressive about looking for weird characters
in parameter names, to avoid cases where people try to sneak things
like %6fpensocial_owner_id into signed fetch requests.
We can probably make the regex a little bit more liberal to allow the
':' character. Want to prepare a patch?
Cheers,
Brian
