python-oauth2 icon indicating copy to clipboard operation
python-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon joestump

parameters in http_url incorrectly handled in Request.from_request()

Open rogerm opened this issue 15 years ago • 3 comments

When the http_url parameter is parsed to see if it contains any params, the paramsaren't removed from the url after being added to the parameters variable. Request.get_normalized_parameters() also parses the raw url (why?) when constructing the cignaturebasestring. The combination of these actions is that parameters coming from http_url get included twice in the signature base string.

Fix:

  • in from_request, after parsing http_url: http_url = http_url.split('?',1)[0]

It's not clear that you need or want to parse the original url again in get_normalized_parameters, it would be cleaner is all constructors and factories ensured that parameters get extracted on creation so you can just use the reqeust dictionary and the normalized url.

rogerm avatar Aug 09 '10 15:08 rogerm

I just ran into this issue myself. Is there some reasoning behind the behavior or is it a bug?

amrox avatar Jan 27 '12 03:01 amrox

+1

maxcountryman avatar Jan 30 '12 19:01 maxcountryman

I have a similar issue in Request.from_consumer_and_token. Apparently when a URL redirects the request method is invoked twice this means that parameters are copied twice and the URL is signed twice.

Ad hoc fixes (this may break other functionality):

In the Client.request method:

    if 'oauth_token' not in uri:
        req.sign_request(self.method, self.consumer, self.token)

In the Request.from_consumer_and_token method:

    defaults.update(parameters)
    parameters = defaults
    if http_url is not None and '?' in http_url:
        parameters = {}

maxcountryman avatar Jan 30 '12 20:01 maxcountryman