From 0cb60652dbefc18bcd70b60f760c5587a9f8654d Mon Sep 17 00:00:00 2001 From: Alex Cartwright Date: Thu, 21 May 2015 12:12:50 +0100 Subject: [PATCH 1/3] Ensure OAuth1 signature is created as per the spec --- lib/class-wp-json-authentication-oauth1.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php index 3a0612f..b3deea8 100644 --- a/lib/class-wp-json-authentication-oauth1.php +++ b/lib/class-wp-json-authentication-oauth1.php @@ -50,7 +50,7 @@ public function parse_header( $header ) { $params = array(); if ( preg_match_all( '/(oauth_[a-z_-]*)=(:?"([^"]*)"|([^,]*))/', $header, $matches ) ) { foreach ($matches[1] as $i => $h) { - $params[$h] = urldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); + $params[$h] = rawurldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); } if (isset($params['realm'])) { unset($params['realm']); @@ -551,7 +551,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $params = array_merge( $params, $oauth_params ); - $base_request_uri = rawurlencode( get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ) ); + $base_request_uri = get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ); // get the signature provided by the consumer and remove it from the parameters prior to checking the signature $consumer_signature = rawurldecode( $params['oauth_signature'] ); @@ -567,7 +567,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $query_string = $this->create_signature_string( $params ); $token = (array) $token; - $string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string; + $string_to_sign = $http_method . '&' . rawurlencode( $base_request_uri ) . '&' . rawurlencode( $query_string ); $key_parts = array( $consumer->secret, ( $token ? $token['secret'] : '' ) @@ -604,7 +604,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul * @return string Signature string */ public function create_signature_string( $params ) { - return implode( '%26', $this->join_with_equals_sign( $params ) ); // join with ampersand + return implode( '&', $this->join_with_equals_sign( $params ) ); // join with ampersand } /** @@ -624,8 +624,8 @@ public function join_with_equals_sign( $params, $query_params = array(), $key = if ( $key ) { $param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array } - $string = $param_key . '=' . $param_value; // join with equals sign - $query_params[] = urlencode( $string ); + $string = rawurlencode( $param_key ) . '=' . rawurlencode( $param_value ); // join with equals sign + $query_params[] = $string; } } return $query_params; From c41eb3089341c2e44eb09ca45f8ab24ac7753063 Mon Sep 17 00:00:00 2001 From: coderkevin Date: Thu, 5 Nov 2015 21:25:30 -0600 Subject: [PATCH 2/3] Remove normalize_parameters function. This function was actually decoding parameters that shouldn't have been decoded, then re-encoding them. See: https://github.com/WP-API/OAuth1/issues/91 The idea behind removing this function is that parameters should be encoded as needed, not through a brute-force function like this, which can cause unintended side-effects for parameters which contain portions that are already encoded. --- lib/class-wp-json-authentication-oauth1.php | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php index b3deea8..080055a 100644 --- a/lib/class-wp-json-authentication-oauth1.php +++ b/lib/class-wp-json-authentication-oauth1.php @@ -557,9 +557,6 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $consumer_signature = rawurldecode( $params['oauth_signature'] ); unset( $params['oauth_signature'] ); - // normalize parameter key/values - array_walk_recursive( $params, array( $this, 'normalize_parameters' ) ); - // sort parameters if ( ! uksort( $params, 'strcmp' ) ) return new WP_Error( 'json_oauth1_failed_parameter_sort', __( 'Invalid Signature - failed to sort parameters' ), array( 'status' => 401 ) ); @@ -631,20 +628,6 @@ public function join_with_equals_sign( $params, $query_params = array(), $key = return $query_params; } - /** - * Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then - * re-encode according to RFC 3986 - * - * @since 2.1 - * @see rawurlencode() - * @param string $key - * @param string $value - */ - protected function normalize_parameters( &$key, &$value ) { - $key = rawurlencode( rawurldecode( $key ) ); - $value = rawurlencode( rawurldecode( $value ) ); - } - /** * Verify that the timestamp and nonce provided with the request are valid * From dd283fa504508b658b264e142ac006d3995c1bf8 Mon Sep 17 00:00:00 2001 From: Solomon Blaz Date: Thu, 4 Jun 2015 17:23:07 -0600 Subject: [PATCH 3/3] Fix issue WP-API/OAuth1#59, OAuth callback isn't called --- lib/class-wp-json-authentication-oauth1.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php index 080055a..661ceab 100644 --- a/lib/class-wp-json-authentication-oauth1.php +++ b/lib/class-wp-json-authentication-oauth1.php @@ -365,13 +365,14 @@ public function generate_request_token( $params ) { // Generate token $key = apply_filters( 'json_oauth1_request_token_key', wp_generate_password( self::TOKEN_KEY_LENGTH, false ) ); + $callback = $params['oauth_callback']; $data = array( 'key' => $key, 'secret' => wp_generate_password( self::TOKEN_SECRET_LENGTH, false ), 'consumer' => $consumer->ID, 'authorized' => false, 'expiration' => time() + 24 * HOUR_IN_SECONDS, - 'callback' => null, + 'callback' => $callback, 'verifier' => null, 'user' => null, );