On Fri, Apr 4, 2008 at 12:32 PM, Fernando Padilla <[EMAIL PROTECTED]> wrote: > Is there any real reason to restrict the parameter names beyond > oauth/opensocial? Should I just submit the patch to remove the > ALLOWE_PARAM_NAME checking all together?
The check is there for security reasons, to prevent any attempt to smuggle in an opensocial param that our code misses but the verifying code accepts. Search the web for "IDS bypass" for pointers to various kinds of attacks that might be possible. Modifying the regex to allow the ":" character as well as the characters it permits already seems reasonable, but we should be paranoid about adding additional characters. Cheers, Brian
