On Thu, Aug 20, 2009 at 1:40 AM, David Carson<[email protected]> wrote: > > Got this sorted out and working, and thought I should share the two > pitfalls which were causing me problems. > > First of all, unbelievably, the 500 Internal Server Error was being > caused by an extra carriage return between my last HTTP header and the > first multipart boundary. Seriously. I had two blank lines in there > instead of one. Removed the extra carriage return, and my 500 > vanished, being replaced by a more reasonable "(401) Unauthorized - > Incorrect signature" error. > > Secondly, the OAuth documentation seems a bit shaky when it comes to > multipart/form-data POSTs. But basically, you do NOT use any of the > POST parameters when creating your signature. And this includes all of > the OAuth-specific parameters like oauth_consumer_key, > oauth_signature_method, etc. Bit of a security hole imho, OAuth > implements all this complexity to avoid man-in-the-middle or replay > attacks, and as soon as you do a multipart POST it's all negated. > > So, my signature base was literally: > > POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml& > > Just the HTTP method and the URL. No parameters. > > Once I made that change to the signature generation, my request went > through fine and my avatar changed. > > Hope this helps someone! > > Cheers, > David... >
Gotta love HTTP. In many ways very forgiving, in other ways very, very picky. Glad you got it worked out. FYI I believe LinqToTwitter offers the same image upload/change functionality on top of the same OAuthBase work by Eran & Shannon. ∞ Andy Badera ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=(andrew+badera)+OR+(andy+badera)
