Comments (4)
ib-lundgren
commented on May 16, 2024
Hey and thanks for the report!
It is indeed a bug and the caused by incorrectly including data when calculating the OAuth signature. When sending multipart form data the body parameters should not be used in the signature, but they are in this case.
This happens because when requests call OAuth1 it has not yet set the content-type header (which ive not looked deeper into why), this causes OAuth1 to have to guess content type, since no is set and data is included it happily and wrongly assumes it is x-www-form-urlencoded (no check for files etc.). OAuthLib then has no clue that wrong input is given since its correctly formatted and proceeds to calculate a signature.
There are a two solutions to this but unfortunately for you @michaelhelmick no easy one-line fix.
- Have requests set the content-type prior to calling OAuth1
- Make OAuth1 do a better job figuring out content-type
Note to @idangazit @dgouldin, Twitter docs mentioned that they exclude body params (as per spec) but in this specific case also query parameters which is odd. Maybe add an option to OAuth1 to exclude params from query/body?
from oauthlib.
michaelhelmick
commented on May 16, 2024
Yep. You hit the nail on the head. I've found ways around this with standard urllib2 (in my Tumblpy and Flick libs) and with requests in @ryanmcgrath's Twython lib by creating a "fake request" and signing the params then sending them to a new requests.post() with the authorization headers (https://github.com/ryanmcgrath/twython/blob/master/twython/twython.py#L514-L552)
The first solution I believe was turned down by @kennethreitz I believe. Don't quote me on that. Haha.
The second solution I would imagine would be more desired.
Sent from my iPad
On May 14, 2012, at 7:26 PM, [email protected] wrote:
Hey and thanks for the report!
It is indeed a bug and the caused by incorrectly including data when calculating the OAuth signature. When sending multipart form data the body parameters should not be used in the signature, but they are in this case.
This happens because when requests call OAuth1 it has not yet set the content-type header (which ive not looked deeper into why), this causes OAuth1 to have to guess content type, since no is set and data is included it happily and wrongly assumes it is x-www-form-urlencoded (no check for files etc.). OAuthLib then has no clue that wrong input is given since its correctly formatted and proceeds to calculate a signature.
There are a two solutions to this but unfortunately for you @michaelhelmick no easy one-line fix.
- Have requests set the content-type prior to calling OAuth1
- Make OAuth1 do a better job figuring out content-type
Note to @idangazit @dgouldin, Twitter docs mentioned that they exclude body params (as per spec) but in this specific case also query parameters which is odd. Maybe add an option to OAuth1 to exclude params from query/body?
Reply to this email directly or view it on GitHub:
https://github.com/idangazit/oauthlib/issues/38#issuecomment-5704881
from oauthlib.
ib-lundgren
commented on May 16, 2024
@idangazit Sent a pull request addressing this at https://github.com/kennethreitz/requests/pull/614. If it gets merged you can probably close this issue =)
from oauthlib.
kennethreitz
commented on May 16, 2024
Merged. 🍰
from oauthlib.
Related Issues (20)
- RFC5849 oauth1 signature base_string_uri doesn't parse IPv6 addresses
- Pre-configured OIDC server should use OIDC refresh token grant type HOT 5
- Security Issue in OAuthLib HOT 1
- CI/Pipeline broken since TravisCI consumed all "OSS credits" HOT 2
- Merging the fix of CVE-2022-36087 into tag v3.2.1 HOT 8
- URI validation does not support shortform localhost IPv6 URIs HOT 1
- Latest version on pypi.org (3.2.2) not reflected here - is it safe? HOT 2
- private_key_jwt
- Will the default warning behavior for scope changes be updated? HOT 1
- Please support http.client as the a request client HOT 3
- OAuth2Session is not pickleable HOT 2
- Docs: Add link to GitHub project sidebar? HOT 1
- Support for refresh token expiration
- typing issues HOT 2
- Problem with use oauthlib with last version cryptography
- Adopt `build` because running `setup.py` is deprecated for security reasons
- Oauthlib not catching error: CompactToken validation failed with reason code: 80049228 HOT 1
- accessing session user in validate_silent_login
- fastapi Support HOT 1
- Modifications of headers returned by Client.prepare_*_request affects future calls
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauthlib.