Simon,

I believe the body of your post might be incorrect. It should look like
this:

POST /account/update_profile_image.xml HTTP/1.1
Content-Type: multipart/form-data;
boundary=----------------------------8cbed79c91b24f3
Host: twitter.com
Content-Length: 3863(this will probably change now..)

------------------------------8cbed79c91b24f3
Content-Disposition: form-data; name="image"; filename="test.jpg"
Content-Type: image/jpeg

(there's a few K of binary data here, the contents of the file)
------------------------------8cbed79c91b24f3


The rest of the OAuth variables should be passed on the query string.

I hope this helps.

Cheers,
Nicholas
---
Nicholas Granado
email:  ngran...@gmail.com
twitter: heatxsink
web:    http://nickgranado.com


On Sun, Oct 18, 2009 at 2:42 PM, Zaudio <si...@z-audio.co.uk> wrote:

>
> Hi David,
>
> I found your excellent post hoping that it would solve the same
> challenge for my app: updating profile image via Oauth... using
> similar .net base to yourself...
> BUT I just get the 401 all the time... despite taking your advice to
> just sign with the HTTPmethod & URL.... My post data is laid out much
> like yours... though I never got that 500 error...
>
> I've tried all sorts... dropping the & off the end.... different
> encodings...
>
> What encoding did you use to encode your image, and then to post the
> request?
>
> Does it still work for you... or did this get broken when Twitter
> 'fixed' their Oauth implementation?
>
> Can anyone else advise if they have got this working and where I might
> be going wrong?
>
> Thanks
>
> Simon (Zaudio)
>
>
>
> On Aug 19, 11:40 pm, David Carson <carson63...@gmail.com> wrote:
> > Got this sorted out and working, and thought I should share the two
> > pitfalls which were causing me problems.
> >
> > First of all, unbelievably, the 500 Internal Server Error was being
> > caused by an extra carriage return between my last HTTP header and the
> > first multipart boundary. Seriously. I had two blank lines in there
> > instead of one. Removed the extra carriage return, and my 500
> > vanished, being replaced by a more reasonable "(401) Unauthorized -
> > Incorrect signature" error.
> >
> > Secondly, the OAuth documentation seems a bit shaky when it comes to
> > multipart/form-data POSTs. But basically, you do NOT use any of the
> > POST parameters when creating your signature. And this includes all of
> > the OAuth-specific parameters like oauth_consumer_key,
> > oauth_signature_method, etc. Bit of a security hole imho, OAuth
> > implements all this complexity to avoid man-in-the-middle or replay
> > attacks, and as soon as you do a multipart POST it's all negated.
> >
> > So, my signature base was literally:
> >
> > POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml&
> >
> > Just the HTTP method and the URL. No parameters.
> >
> > Once I made that change to the signature generation, my request went
> > through fine and my avatar changed.
> >
> > Hope this helps someone!
> >
> > Cheers,
> > David...
>

Reply via email to