couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Joseph Davis (JIRA)" <>
Subject [jira] [Commented] (COUCHDB-1144) oauth requests with non-percent-encoded realms result in function_clause error in HTTP request
Date Thu, 28 Apr 2011 18:16:03 GMT


Paul Joseph Davis commented on COUCHDB-1144:

Crux of the issue is that oauth_uri:decode in 1.1.x is much more strict than in trunk. Trunk
version just de-hexes any %HH encodings, where as 1.1.x asserts that non %HH sequences match

> oauth requests with non-percent-encoded realms result in function_clause error in HTTP
> ----------------------------------------------------------------------------------------------
>                 Key: COUCHDB-1144
>                 URL:
>             Project: CouchDB
>          Issue Type: Bug
>          Components: HTTP Interface
>    Affects Versions: 1.0.2, 1.1
>         Environment: OSX - branch 1.1 - r1095237
>            Reporter: Joan Touzet
>            Priority: Minor
>         Attachments: oauth-realm-test.patch, oauth_uri.erl
> As illustrated in this Wireshark packet dump, lines 53ff, any OAuth request with a non-percent-encoded
URL as the realm will return a 500 error:
> Erlang stacktrace is similar to:
> [error] [<0.189.0>] function_clause error in HTTP request [Wed, 27 Apr 2011 23:31:46
GMT] [info] [<0.189.0>] Stacktrace:
> [{oauth_uri,decode, ["://","ptth"]},
>                                 {oauth_uri,param_from_header_string,1},
>                                 {oauth_uri,
>                                     '-params_from_header_string/1-lc$^0/1-0-',
>                                     1},
>                                 {couch_httpd_oauth,serve_oauth,3},
>                                 {couch_httpd,authenticate_request,2},
>                                 {couch_httpd,handle_request_int,5},
>                                 {mochiweb_http,headers,5},
>                                 {proc_lib,init_p_do_apply,3}] [Wed, 27 Apr 2011 23:31:46
GMT] [info] [<0.189.0>] - - 'PUT'
> /test_c_project/16f74c25-d641-4710-8f38-18295a8a69b1 500
> Chatted with benoitc today and he suggested this may be because the realm is not being
properly encoded before being passed on.
> By default, some OAuth libraries such as python's popular oauth2 library always set the
realm of a request to the URL of the resource being accessed, such as http://localhost:5984/
. (In fact, oauth2 library does not support overriding this setting.) The OAuth spec @
also shows realms specified as URLs.  RFC5849 states "The OPTIONAL "realm" parameter MAY be
added and interpreted per [RFC2617] section 1.2.", which in turn says the realm is any quoted-string.
> It seems that this may already be fixed in trunk simply because trunk has a newer version
of the upstream erlang-oauth.
> A JS test could be added in futon to validate this by modifying function oauthRequest
to accept a realm parameter, then passing that down to OAuth.getAuthorizationHeader on line

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message