shindig-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bastian Hofmann (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHINDIG-966) token over-decoding
Date Tue, 27 Jul 2010 15:09:18 GMT

    [ https://issues.apache.org/jira/browse/SHINDIG-966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12892812#action_12892812
] 

Bastian Hofmann commented on SHINDIG-966:
-----------------------------------------

We have the same problem with overdecoding of the security token. In order to not brake the
makeRequest servlet, the following changes are needed:

--- -   2010-07-27 12:57:13.000000000 +0200
+++ php/src/gadgets/MetadataHandler.php 2010-07-26 08:55:15.000000000 +0200
@@ -53,9 +53,6 @@
         return null;
       }
     }
-    if (count(explode(':', $token)) < 7) {
-      $token = urldecode(base64_decode($token));
-    }
     $gadgetSigner = Config::get('security_token_signer');
     $gadgetSigner = new $gadgetSigner();
     return $gadgetSigner->createToken($token);

--- -   2010-07-27 12:57:57.000000000 +0200
+++ php/src/social/servlet/ApiServlet.php       2010-07-26 08:55:15.000000000 +0200
@@ -131,9 +131,6 @@
         return null;
       }
     }
-    if (count(explode(':', $token)) < 7) {
-      $token = urldecode(base64_decode($token));
-    }
     $gadgetSigner = Config::get('security_token_signer');
     $gadgetSigner = new $gadgetSigner();
     return $gadgetSigner->createToken($token);

--- -   2010-07-27 12:57:08.000000000 +0200
+++ php/src/gadgets/GadgetContext.php   2010-07-26 08:55:15.000000000 +0200
@@ -285,9 +285,6 @@
    * @return SecurityToken An object representation of the token data.
    */
   public function validateToken($token, $signer) {
-    if (count(explode(':', $token)) < 7) {
-      $token = urldecode(base64_decode($token));
-    }
     if (empty($token)) {
       throw new Exception("Missing or invalid security token");
     }


--- -   2010-07-27 16:50:27.000000000 +0200
+++ php/src/gadgets/MakeRequestOptions.php      2010-07-27 16:42:17.000000000 +0200
@@ -247,7 +247,7 @@
             ->setOAuthUseToken($request->getParameter('oauth_use_token'))
             ->setOAuthReceivedCallback($request->getParameter('oauth_received_callback'))
             ->setOAuthClientState($request->getParameter('oauth_state')) // Not in
osapi.http spec, but nice to support
-            ->setSecurityTokenString(urlencode(base64_encode($request->getToken()->toSerialForm())));
+            ->setSecurityTokenString($request->getToken()->toSerialForm());

     return $options;
   }


> token over-decoding
> -------------------
>
>                 Key: SHINDIG-966
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-966
>             Project: Shindig
>          Issue Type: Bug
>          Components: PHP
>    Affects Versions: 1.1-BETA1
>            Reporter: Dmitry Vorobyev
>            Assignee: Chris Chabot
>
> ### Eclipse Workspace Patch 1.0
> #P gadget
> Index: http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php
> ===================================================================
> --- http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php
(revision 20842)
> +++ http://svn.apache.org/repos/asf/incubator/shindig/trunk/php/src/gadgets/GadgetContext.php
(working copy)
> @@ -292,9 +292,6 @@
>      if (! isset($token) || $token == '') {
>        $token = isset($_POST['st']) ? $_POST['st'] : '';
>      }
> -    if (count(explode(':', $token)) != 6) {
> -      $token = urldecode(base64_decode($token));
> -    }
>      if (empty($token)) {
>        throw new Exception("Missing or invalid security token");
>      }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message