X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=extlib%2FOAuth.php;h=04984d5fa0327defc0c6f1b1fe6f4c770254b96d;hb=a8c90d02438b23a73b9195e10ebed54c33f1dce0;hp=029166175c5f4b6ad07fac4bb47ea0502c7b95f9;hpb=003c63e587128c6d095386c563c2615c2ac245c2;p=quix0rs-gnu-social.git diff --git a/extlib/OAuth.php b/extlib/OAuth.php index 029166175c..04984d5fa0 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -54,6 +54,24 @@ class OAuthSignatureMethod {/*{{{*/ public function check_signature(&$request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + $result = 0; + + // Avoid a timing leak with a (hopefully) time insensitive compare + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } }/*}}}*/ @@ -199,7 +217,8 @@ class OAuthRequest {/*{{{*/ } else { // collect request parameters from query string (GET) and post-data (POST) if appropriate (note: POST vars have priority) $req_parameters = $_GET; - if ($http_method == "POST" && @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") ) { + if ($http_method == "POST" && + ( @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded") || @strstr($_ENV["CONTENT_TYPE"], "application/x-www-form-urlencoded") )) { $req_parameters = array_merge($req_parameters, $_POST); } @@ -326,7 +345,7 @@ class OAuthRequest {/*{{{*/ public function get_normalized_http_url() {/*{{{*/ $parts = parse_url($this->http_url); - $port = @$parts['port']; + $port = isset($parts['port']) ? $parts['port'] : null; $scheme = $parts['scheme']; $host = $parts['host']; $path = @$parts['path'];