don't symbolize arbitrary user-supplied strings

[notEthan]

the symbolization of arbitrary user-supplied strings is a DoS / memory exhaustion vulnerability. this patch limits the symbols which SimpleOAuth uses for keys in the .parse method to those that are recognized attributes of an oauth authorization header.

this does create some inconsistency, where some parts of the hash returned from .parse will be strings and others will be symbols, but this seems necessary: the recognized keys must remain symbols to avoid breaking pretty much every application using this library; the unrecognized keys must not be symbols to avoid the vulnerability.

[notEthan]

unrelated to this issue, I want to express thanks for a really excellent, simple library for OAuth. I've created a library called oauthenticator at https://github.com/notEthan/oauthenticator which consists of rack middleware for authentication with informative error responses that builds on SimpleOAuth.

[coveralls]

Coverage remained the same when pulling 5fcb1a940507773de77819e18bdc097f6b073725 on notEthan:no_arbitrary_symbols into f60702269d9d6dee322a904ce02645533ddd1a8d on laserlemon:master.