On Thu, Aug 20, 2009 at 1:40 AM, David Carson<carson63...@gmail.com> wrote:
> Got this sorted out and working, and thought I should share the two
> pitfalls which were causing me problems.
> First of all, unbelievably, the 500 Internal Server Error was being
> caused by an extra carriage return between my last HTTP header and the
> first multipart boundary. Seriously. I had two blank lines in there
> instead of one. Removed the extra carriage return, and my 500
> vanished, being replaced by a more reasonable "(401) Unauthorized -
> Incorrect signature" error.
> Secondly, the OAuth documentation seems a bit shaky when it comes to
> multipart/form-data POSTs. But basically, you do NOT use any of the
> POST parameters when creating your signature. And this includes all of
> the OAuth-specific parameters like oauth_consumer_key,
> oauth_signature_method, etc. Bit of a security hole imho, OAuth
> implements all this complexity to avoid man-in-the-middle or replay
> attacks, and as soon as you do a multipart POST it's all negated.
> So, my signature base was literally:
> POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&
> Just the HTTP method and the URL. No parameters.
> Once I made that change to the signature generation, my request went
> through fine and my avatar changed.
> Hope this helps someone!
> Cheers,
> David...

Gotta love HTTP. In many ways very forgiving, in other ways very, very
picky. Glad you got it worked out. FYI I believe LinqToTwitter offers
the same image upload/change functionality on top of the same
OAuthBase work by Eran & Shannon.

∞ Andy Badera
∞ This email is: [ ] bloggable [x] ask first [ ] private
∞ Google me: http://www.google.com/search?q=(andrew+badera)+OR+(andy+badera)

Reply via email to