SigningFetcher is too restrictive on parameter names allowed.
-------------------------------------------------------------
Key: SHINDIG-177
URL: https://issues.apache.org/jira/browse/SHINDIG-177
Project: Shindig
Issue Type: Bug
Reporter: Fernando
Here is an excerpt from the email list:
On Fri, Apr 4, 2008 at 8:48 AM, Fernando Padilla <[EMAIL PROTECTED]> wrote:
> > For example; a parameter like this:
> >
> > t:formdata=a:a
> >
> > was converted into the base string by MySpace like this:
> >
> > t%3Aformdata%3Da%253Aa
> >
> > I hope this isn't annoying, I just wanted to get the consensus from all
> > developers involved, on how this should work; so we can patch Shindig or
> > patch Java OAuth. ( since everyone is backed by Shindig, my guess it's
> > actually Shindig's OAuth code ).
Great guess. The bug is in SigningFetcher.java, in the function
allowParam. Shindig is aggressive about looking for weird characters
in parameter names, to avoid cases where people try to sneak things
like %6fpensocial_owner_id into signed fetch requests.
We can probably make the regex a little bit more liberal to allow the
':' character. Want to prepare a patch?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
