svn commit: r761024 - /incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php

[chabotc]

Author: chabotc
Date: Wed Apr  1 19:41:20 2009
New Revision: 761024

URL: http://svn.apache.org/viewvc?rev=761024&view=rev
Log:
Make sure the opensocial_* and oauth_* params are _always_ stripped out in 
signed requests so they can't be spoofed

Modified:
    incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php

Modified: incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php?rev=761024&r1=761023&r2=761024&view=diff
==============================================================================
--- incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php (original)
+++ incubator/shindig/trunk/php/src/gadgets/SigningFetcher.php Wed Apr  1 
19:41:20 2009
@@ -117,6 +117,12 @@
       $queryParams = array();
       if (isset($parsedUri['query'])) {
         parse_str($parsedUri['query'], $queryParams);
+        // strip out all opensocial_* and oauth_* params so they can't be 
spoofed by the client
+        foreach ($queryParams as $key => $val) {
+          if ((strtolower(substr($key, 0, strlen('opensocial_'))) == 
'opensocial_') || (strtolower(substr($key, 0, strlen('oauth_'))) == 'oauth_')) {
+            unset($queryParams[$key]);
+          }
+        }
         $queryParams = $this->sanitize($queryParams);
       }
       $postParams = array();