explicitly license documentation under CC-BY 3.0

[quix0rs-gnu-social.git] / extlib / OAuth.php

diff --git a/extlib/OAuth.php b/extlib/OAuth.php
index 029166175c5f4b6ad07fac4bb47ea0502c7b95f9..04984d5fa0327defc0c6f1b1fe6f4c770254b96d 100644 (file)
--- a/extlib/OAuth.php
+++ b/extlib/OAuth.php
@@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/
   public function check_signature(&$request, $consumer, $token, $signature) {
     $built = $this->build_signature($request, $consumer, $token);
     return $built == $signature;
+
+    // Check for zero length, although unlikely here
+    if (strlen($built) == 0 || strlen($signature) == 0) {
+      return false;
+    }
+
+    if (strlen($built) != strlen($signature)) {
+      return false;
+    }
+
+    $result = 0;
+
+    // Avoid a timing leak with a (hopefully) time insensitive compare
+    for ($i = 0; $i < strlen($signature); $i++) {
+      $result |= ord($built{$i}) ^ ord($signature{$i});
+    }
+
+    return $result == 0;
   }
 }/*}}}*/
 
@@ -199,7 +217,8 @@ class OAuthRequest {/*{{{*/
     } else {
       // collect request parameters from query string (GET) and post-data (POST) if appropriate (note: POST vars have priority)
       $req_parameters = $_GET;
-      if ($http_method == "POST" && @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") ) {
+      if ($http_method == "POST" &&
+        ( @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") || @strstr($_ENV["CONTENT_TYPE"], "application/x-www-form-urlencoded") )) {
         $req_parameters = array_merge($req_parameters, $_POST);
       }
 
@@ -326,7 +345,7 @@ class OAuthRequest {/*{{{*/
   public function get_normalized_http_url() {/*{{{*/
     $parts = parse_url($this->http_url);
 
-    $port = @$parts['port'];
+    $port = isset($parts['port']) ? $parts['port'] : null;
     $scheme = $parts['scheme'];
     $host = $parts['host'];
     $path = @$parts['path'];