OAuth Core 1.0 (or a) does *not* include PUT body parameters in the signature
base string. That is a bug which I already fixed a while back in the very first
I-D:
o Removed restriction of only signing application/
x-www-form-urlencoded in POST requests, allowing the entity-body
to be used with all HTTP request methods.
The current IETF version is all inclusive:
---
The request parameters, which include both protocol parameters and
request-specific parameters, are extracted and restored to their
original unencoded form, from the following sources:
o The OAuth HTTP Authorization header (Section 7.1). The "realm"
parameter MUST be excluded if present.
o The HTTP request entity-body, but only if:
* The entity-body is single-part.
* The entity-body follows the encoding requirements of the
"application/x-www-form-urlencoded" content-type as defined by
[W3C.REC-html40-19980424].
* The HTTP request entity-header includes the "Content-Type"
header set to "application/x-www-form-urlencoded".
o The query component of the HTTP request URI as defined by
[RFC3986] section 3.
The "oauth_signature" parameter MUST be excluded if present.
---
Too bad very few people actually bother to read the IETF drafts and provide
feedback. For the record, I had to restrain myself in that last sentence from
using offensive language.
EHL
> -----Original Message-----
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Hannes Tydén
> Sent: Wednesday, September 16, 2009 5:31 PM
> To: OAuth
> Subject: [oauth] Re: Signing PUT request
>
>
> On Sep 17, 1:12 am, Hans Granqvist <h...@granqvist.com> wrote:
>
> > seems to leave PUT requests with form-encoded name/value pairs in a
> > bad spot, not covered by the core spec (which only deals with POSTs),
> > nor covered by the body hash spec.
>
> I will rephrase my initial question:
> Is it true that the base string for "application/x-www-form-
> urlencoded" PUT requests should not contain the parameters in the
> request body according to the 1.0 core specification?
>
> Section "9.1.1 Normalize Request Parameters" (http://oauth.net/core/
> 1.0#anchor14) says:
> "Parameters in the HTTP POST request body (with a content-type of
> application/x-www-form-urlencoded)."
>
> If "HTTP POST request body" should be interpreted as "the request body
> if it is a POST request", "application/x-www-form-urlencoded" PUT
> requests are wide open for man-in-the-middle attacks.
>
> If it should be interpreted as "the request body of any kind of
> request", I'm fine with this and we could move along.
>
> In any case the wording is too ambiguous, leaving room for
> interpretation. I'd suggest that an amendment should be done to the
> specification.
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
