From c65d4b35ebeb265d82c01563abf5cfa44bd2ea76 Mon Sep 17 00:00:00 2001 From: Alex Cartwright Date: Thu, 21 May 2015 12:12:50 +0100 Subject: [PATCH] Ensure OAuth1 signature is created as per the spec --- lib/class-wp-json-authentication-oauth1.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php index 3a0612f..b3deea8 100644 --- a/lib/class-wp-json-authentication-oauth1.php +++ b/lib/class-wp-json-authentication-oauth1.php @@ -50,7 +50,7 @@ public function parse_header( $header ) { $params = array(); if ( preg_match_all( '/(oauth_[a-z_-]*)=(:?"([^"]*)"|([^,]*))/', $header, $matches ) ) { foreach ($matches[1] as $i => $h) { - $params[$h] = urldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); + $params[$h] = rawurldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); } if (isset($params['realm'])) { unset($params['realm']); @@ -551,7 +551,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $params = array_merge( $params, $oauth_params ); - $base_request_uri = rawurlencode( get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ) ); + $base_request_uri = get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ); // get the signature provided by the consumer and remove it from the parameters prior to checking the signature $consumer_signature = rawurldecode( $params['oauth_signature'] ); @@ -567,7 +567,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $query_string = $this->create_signature_string( $params ); $token = (array) $token; - $string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string; + $string_to_sign = $http_method . '&' . rawurlencode( $base_request_uri ) . '&' . rawurlencode( $query_string ); $key_parts = array( $consumer->secret, ( $token ? $token['secret'] : '' ) @@ -604,7 +604,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul * @return string Signature string */ public function create_signature_string( $params ) { - return implode( '%26', $this->join_with_equals_sign( $params ) ); // join with ampersand + return implode( '&', $this->join_with_equals_sign( $params ) ); // join with ampersand } /** @@ -624,8 +624,8 @@ public function join_with_equals_sign( $params, $query_params = array(), $key = if ( $key ) { $param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array } - $string = $param_key . '=' . $param_value; // join with equals sign - $query_params[] = urlencode( $string ); + $string = rawurlencode( $param_key ) . '=' . rawurlencode( $param_value ); // join with equals sign + $query_params[] = $string; } } return $query_params;