yehara
Dec 8th, 2010, 07:25 PM
Signature velification fails when multiple parameters have same name contains characters to be escaped, because a signature base string is genarated incorrectly.
In CoreOAuthProviderSupport.java, parameter names may be escaped repetedly.
example: param[1] -> param%5B1%5B -> param%255B1%255B -> param%25255B1%25255B
protected SortedMap<String, SortedSet<String>> loadSignificantParametersForSignatureBaseString(Ht tpServletRequest request) {
//first collect the relevant parameters...
SortedMap<String, SortedSet<String>> significantParameters = new TreeMap<String, SortedSet<String>>();
//first pull from the request...
Enumeration parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) {
String parameterName = (String) parameterNames.nextElement();
String[] values = request.getParameterValues(parameterName);
if (values == null) {
values = new String[]{ "" };
}
for (String parameterValue : values) {
if (parameterValue == null) {
parameterValue = "";
}
parameterName = oauthEncode(parameterName);
parameterValue = oauthEncode(parameterValue);
SortedSet<String> significantValues = significantParameters.get(parameterName);
if (significantValues == null) {
significantValues = new TreeSet<String>();
significantParameters.put(parameterName, significantValues);
}
significantValues.add(parameterValue);
}
}
......
I think the following code is correct.
protected SortedMap<String, SortedSet<String>> loadSignificantParametersForSignatureBaseString(Ht tpServletRequest request) {
//first collect the relevant parameters...
SortedMap<String, SortedSet<String>> significantParameters = new TreeMap<String, SortedSet<String>>();
//first pull from the request...
Enumeration parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) {
String parameterName = (String) parameterNames.nextElement();
String[] values = request.getParameterValues(parameterName);
if (values == null) {
values = new String[]{ "" };
}
parameterName = oauthEncode(parameterName);
for (String parameterValue : values) {
if (parameterValue == null) {
parameterValue = "";
}
parameterValue = oauthEncode(parameterValue);
SortedSet<String> significantValues = significantParameters.get(parameterName);
if (significantValues == null) {
significantValues = new TreeSet<String>();
significantParameters.put(parameterName, significantValues);
}
significantValues.add(parameterValue);
}
}
......
I opened a new JIRA issue.
https://jira.springsource.org/browse/SECOAUTH-33
In CoreOAuthProviderSupport.java, parameter names may be escaped repetedly.
example: param[1] -> param%5B1%5B -> param%255B1%255B -> param%25255B1%25255B
protected SortedMap<String, SortedSet<String>> loadSignificantParametersForSignatureBaseString(Ht tpServletRequest request) {
//first collect the relevant parameters...
SortedMap<String, SortedSet<String>> significantParameters = new TreeMap<String, SortedSet<String>>();
//first pull from the request...
Enumeration parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) {
String parameterName = (String) parameterNames.nextElement();
String[] values = request.getParameterValues(parameterName);
if (values == null) {
values = new String[]{ "" };
}
for (String parameterValue : values) {
if (parameterValue == null) {
parameterValue = "";
}
parameterName = oauthEncode(parameterName);
parameterValue = oauthEncode(parameterValue);
SortedSet<String> significantValues = significantParameters.get(parameterName);
if (significantValues == null) {
significantValues = new TreeSet<String>();
significantParameters.put(parameterName, significantValues);
}
significantValues.add(parameterValue);
}
}
......
I think the following code is correct.
protected SortedMap<String, SortedSet<String>> loadSignificantParametersForSignatureBaseString(Ht tpServletRequest request) {
//first collect the relevant parameters...
SortedMap<String, SortedSet<String>> significantParameters = new TreeMap<String, SortedSet<String>>();
//first pull from the request...
Enumeration parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) {
String parameterName = (String) parameterNames.nextElement();
String[] values = request.getParameterValues(parameterName);
if (values == null) {
values = new String[]{ "" };
}
parameterName = oauthEncode(parameterName);
for (String parameterValue : values) {
if (parameterValue == null) {
parameterValue = "";
}
parameterValue = oauthEncode(parameterValue);
SortedSet<String> significantValues = significantParameters.get(parameterName);
if (significantValues == null) {
significantValues = new TreeSet<String>();
significantParameters.put(parameterName, significantValues);
}
significantValues.add(parameterValue);
}
}
......
I opened a new JIRA issue.
https://jira.springsource.org/browse/SECOAUTH-33