diff options
| author | Andrew Arnott <andrewarnott@gmail.com> | 2009-04-29 18:47:42 -0700 |
|---|---|---|
| committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-04-29 18:47:42 -0700 |
| commit | 35d065d515189155dd06ffacc461fcc32c36275b (patch) | |
| tree | 7dd4f301463c10165d89957a3ccbb58583acaabc /src | |
| parent | 5b096902f07bebd978978e26cccf0bbf815473f0 (diff) | |
| download | DotNetOpenAuth-35d065d515189155dd06ffacc461fcc32c36275b.zip DotNetOpenAuth-35d065d515189155dd06ffacc461fcc32c36275b.tar.gz DotNetOpenAuth-35d065d515189155dd06ffacc461fcc32c36275b.tar.bz2 | |
Fixes OAuth base signature string construction for URLs that include a query-string part.
Fixes Trac ticket 42.
Diffstat (limited to 'src')
| -rw-r--r-- | src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs b/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs index d5ba346..f0ac8fa 100644 --- a/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs +++ b/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs @@ -7,9 +7,11 @@ namespace DotNetOpenAuth.OAuth.ChannelElements { using System; using System.Collections.Generic; + using System.Collections.Specialized; using System.Diagnostics.Contracts; using System.Globalization; using System.Text; + using System.Web; using DotNetOpenAuth.Messaging; using DotNetOpenAuth.Messaging.Bindings; using DotNetOpenAuth.Messaging.Reflection; @@ -164,13 +166,29 @@ namespace DotNetOpenAuth.OAuth.ChannelElements { signatureBaseStringElements.Add(message.HttpMethod.ToUpperInvariant()); + var encodedDictionary = OAuthChannel.GetUriEscapedParameters(messageDictionary); + encodedDictionary.Remove("oauth_signature"); + if (message.Recipient.Query != null) { + // It seeems to me a deviation from the OAuth 1.0 spec to be willing to scrape the query + // for parameters on anything but GET requests, but Google does it so to interop we must + // as well. Besides, it seems more secure to sign everything if it's there. + NameValueCollection nvc = HttpUtility.ParseQueryString(message.Recipient.Query); + foreach (string key in nvc) { + encodedDictionary.Add(key, nvc[key]); + } + } else if (message.HttpMethod == "POST") { + // If the HttpWebRequest that we're sending out has a content-type header + // of application/x-www-form-urlencoded, we should be parsing out those parameters + // and adding them to this dictionary as well. + // But at this point we don't have access to the HttpWebRequest (design flaw?) + // TODO: figure this out. + } + UriBuilder endpoint = new UriBuilder(message.Recipient); endpoint.Query = null; endpoint.Fragment = null; signatureBaseStringElements.Add(endpoint.Uri.AbsoluteUri); - var encodedDictionary = OAuthChannel.GetUriEscapedParameters(messageDictionary); - encodedDictionary.Remove("oauth_signature"); var sortedKeyValueList = new List<KeyValuePair<string, string>>(encodedDictionary); sortedKeyValueList.Sort(SignatureBaseStringParameterComparer); StringBuilder paramBuilder = new StringBuilder(); |