signed fetcher too paranoid
---------------------------
Key: SHINDIG-211
URL: https://issues.apache.org/jira/browse/SHINDIG-211
Project: Shindig
Issue Type: Bug
Reporter: Brian Eaton
Attachments: signed-fetch-legal-chars.patch
Symptom: somebody complains that their makeRequest doesn't verify properly or
that parameters are missing.
Root cause: SigningFetcher is overly paranoid about signing parameters with
weird characters in the names.
Source of confusion: Instead of throwing an exception when it can't sign a
message, SigningFetcher either removes the invalid parameter entirely (query
string) or leaves the parameter out of the signature base string (post body).
I've made SigningFetcher less paranoid, and also made it throw exceptions early
on if a request contains invalid query or post parameters.
Some subset of requests that used to "work" with invalid signatures or missing
parameters will now fail. Early/obvious failures are better than late/subtle
ones.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
