[jira] Updated: (SHINDIG-177) SigningFetcher is too restrictive on parameter names allowed.

Fri, 04 Apr 2008 13:53:58 -0700 

     [ 
https://issues.apache.org/jira/browse/SHINDIG-177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Fernando updated SHINDIG-177:
-----------------------------

    Attachment: SigningFetcher.patch

This patch changes:

  protected static final Pattern ALLOWED_PARAM_NAME = Pattern
      .compile("[-:_\\w]+");

it adds the ":" to the regexp, and moves the "-" to the front, to make it more 
legible by removing the "\\".  We could also remove the "_" character if you 
want, since that is actually included within the "\w" character class.

I tested the regexp in another class, JDK 1.5, but did not actually test the 
full Shindig Code.

> SigningFetcher is too restrictive on parameter names allowed.
> -------------------------------------------------------------
>
>                 Key: SHINDIG-177
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-177
>             Project: Shindig
>          Issue Type: Bug
>            Reporter: Fernando
>         Attachments: SigningFetcher.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Here is an excerpt from the email list:
> On Fri, Apr 4, 2008 at 8:48 AM, Fernando Padilla <[EMAIL PROTECTED]> wrote:
> > >  For example; a parameter like this:
> > >
> > >  t:formdata=a:a
> > >
> > >  was converted into the base string by MySpace like this:
> > >
> > >  t%3Aformdata%3Da%253Aa
> > >
> > >  I hope this isn't annoying, I just wanted to get the consensus from all
> > > developers involved, on how this should work; so we can patch Shindig or
> > > patch Java OAuth.  ( since everyone is backed by Shindig, my guess it's
> > > actually Shindig's OAuth code ).
> Great guess.  The bug is in SigningFetcher.java, in the function
> allowParam.  Shindig is aggressive about looking for weird characters
> in parameter names, to avoid cases where people try to sneak things
> like %6fpensocial_owner_id into signed fetch requests.
> We can probably make the regex a little bit more liberal to allow the
> ':' character.  Want to prepare a patch?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to