[
https://issues.apache.org/jira/browse/SHINDIG-177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Brown updated SHINDIG-177:
--------------------------------
Component/s: Gadgets Server - Java
> SigningFetcher is too restrictive on parameter names allowed.
> -------------------------------------------------------------
>
> Key: SHINDIG-177
> URL: https://issues.apache.org/jira/browse/SHINDIG-177
> Project: Shindig
> Issue Type: Bug
> Components: Gadgets Server - Java
> Reporter: Fernando
> Attachments: SigningFetcher.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Here is an excerpt from the email list:
> On Fri, Apr 4, 2008 at 8:48 AM, Fernando Padilla <[EMAIL PROTECTED]> wrote:
> > > For example; a parameter like this:
> > >
> > > t:formdata=a:a
> > >
> > > was converted into the base string by MySpace like this:
> > >
> > > t%3Aformdata%3Da%253Aa
> > >
> > > I hope this isn't annoying, I just wanted to get the consensus from all
> > > developers involved, on how this should work; so we can patch Shindig or
> > > patch Java OAuth. ( since everyone is backed by Shindig, my guess it's
> > > actually Shindig's OAuth code ).
> Great guess. The bug is in SigningFetcher.java, in the function
> allowParam. Shindig is aggressive about looking for weird characters
> in parameter names, to avoid cases where people try to sneak things
> like %6fpensocial_owner_id into signed fetch requests.
> We can probably make the regex a little bit more liberal to allow the
> ':' character. Want to prepare a patch?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
