-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 9/16/09 6:31 PM, Hannes Tydén wrote: > On Sep 17, 1:12 am, Hans Granqvist <h...@granqvist.com> wrote: > >> seems to leave PUT requests with form-encoded name/value pairs in a >> bad spot, not covered by the core spec (which only deals with POSTs), >> nor covered by the body hash spec. > > I will rephrase my initial question: > Is it true that the base string for "application/x-www-form- > urlencoded" PUT requests should not contain the parameters in the > request body according to the 1.0 core specification? > > Section "9.1.1 Normalize Request Parameters" (http://oauth.net/core/ > 1.0#anchor14) says: > "Parameters in the HTTP POST request body (with a content-type of > application/x-www-form-urlencoded)." > > If "HTTP POST request body" should be interpreted as "the request body > if it is a POST request", "application/x-www-form-urlencoded" PUT > requests are wide open for man-in-the-middle attacks. > > If it should be interpreted as "the request body of any kind of > request", I'm fine with this and we could move along.
That seems to be the most reasonable interpretation. > In any case the wording is too ambiguous, leaving room for > interpretation. I'd suggest that an amendment should be done to the > specification. IMHO this needs to be clarified in the Internet-Draft. I'll forward this message to oa...@ietf.org list. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqxjjcACgkQNL8k5A2w/vzbTgCdGGJRN3I1fHeaWhoF5fQCXaOO HlcAoL3xeGhJVh0G39Zdq5fLx42wuWCq =ev4w -----END PGP SIGNATURE----- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
