X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=extlib%2FOAuth.php;h=2e9142ab650466b990a17afcdefa48e3740ee2ef;hb=11c57e7aee073f7587e0594577da385e85f168bc;hp=e9c4bdfaec2d19cb5fb747757d41a53963eaee73;hpb=ddb60a8191de23fc11f6711954575ac7b6f49998;p=quix0rs-gnu-social.git diff --git a/extlib/OAuth.php b/extlib/OAuth.php index e9c4bdfaec..2e9142ab65 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -3,8 +3,10 @@ /* Generic exception class */ -class OAuthException extends Exception { - // pass +if (!class_exists('OAuthException')) { + class OAuthException extends Exception { + // pass + } } class OAuthConsumer { @@ -85,14 +87,30 @@ abstract class OAuthSignatureMethod { */ public function check_signature($request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); - return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + // Avoid a timing leak with a (hopefully) time insensitive compare + $result = 0; + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } } /** - * The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] - * where the Signature Base String is the text and the key is the concatenated values (each first - * encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' + * The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm as defined in [RFC2104] + * where the Signature Base String is the text and the key is the concatenated values (each first + * encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an '&' * character (ASCII code 38) even if empty. * - Chapter 9.2 ("HMAC-SHA1") */ @@ -118,7 +136,7 @@ class OAuthSignatureMethod_HMAC_SHA1 extends OAuthSignatureMethod { } /** - * The PLAINTEXT method does not provide any security protection and SHOULD only be used + * The PLAINTEXT method does not provide any security protection and SHOULD only be used * over a secure channel such as HTTPS. It does not use the Signature Base String. * - Chapter 9.4 ("PLAINTEXT") */ @@ -128,8 +146,8 @@ class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod { } /** - * oauth_signature is set to the concatenated encoded values of the Consumer Secret and - * Token Secret, separated by a '&' character (ASCII code 38), even if either secret is + * oauth_signature is set to the concatenated encoded values of the Consumer Secret and + * Token Secret, separated by a '&' character (ASCII code 38), even if either secret is * empty. The result MUST be encoded again. * - Chapter 9.4.1 ("Generating Signatures") * @@ -151,10 +169,10 @@ class OAuthSignatureMethod_PLAINTEXT extends OAuthSignatureMethod { } /** - * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in - * [RFC3447] section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for - * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a - * verified way to the Service Provider, in a manner which is beyond the scope of this + * The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in + * [RFC3447] section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for + * EMSA-PKCS1-v1_5. It is assumed that the Consumer has provided its RSA public key in a + * verified way to the Service Provider, in a manner which is beyond the scope of this * specification. * - Chapter 9.3 ("RSA-SHA1") */ @@ -243,7 +261,7 @@ class OAuthRequest { ? 'http' : 'https'; $http_url = ($http_url) ? $http_url : $scheme . - '://' . $_SERVER['HTTP_HOST'] . + '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; @@ -383,7 +401,7 @@ class OAuthRequest { $scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http'; $port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80'); - $host = (isset($parts['host'])) ? $parts['host'] : ''; + $host = (isset($parts['host'])) ? strtolower($parts['host']) : ''; $path = (isset($parts['path'])) ? $parts['path'] : ''; if (($scheme == 'https' && $port != '443') @@ -555,7 +573,7 @@ class OAuthServer { private function get_version(&$request) { $version = $request->get_parameter("oauth_version"); if (!$version) { - // Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present. + // Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present. // Chapter 7.0 ("Accessing Protected Ressources") $version = '1.0'; } @@ -569,7 +587,7 @@ class OAuthServer { * figure out the signature with some defaults */ private function get_signature_method($request) { - $signature_method = $request instanceof OAuthRequest + $signature_method = $request instanceof OAuthRequest ? $request->get_parameter("oauth_signature_method") : NULL; @@ -594,7 +612,7 @@ class OAuthServer { * try to find the consumer for the provided request's consumer key */ private function get_consumer($request) { - $consumer_key = $request instanceof OAuthRequest + $consumer_key = $request instanceof OAuthRequest ? $request->get_parameter("oauth_consumer_key") : NULL; @@ -666,7 +684,7 @@ class OAuthServer { throw new OAuthException( 'Missing timestamp parameter. The parameter is required' ); - + // verify that timestamp is recentish $now = time(); if (abs($now - $timestamp) > $this->timestamp_threshold) { @@ -752,7 +770,6 @@ class OAuthUtil { // parameters, has to do some unescaping // Can filter out any non-oauth parameters if needed (default behaviour) // May 28th, 2010 - method updated to tjerk.meesters for a speed improvement. - // see http://code.google.com/p/oauth/issues/detail?id=163 public static function split_header($header, $only_allow_oauth_parameters = true) { $params = array(); if (preg_match_all('/('.($only_allow_oauth_parameters ? 'oauth_' : '').'[a-z_-]*)=(:?"([^"]*)"|([^,]*))/', $header, $matches)) {