X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=extlib%2FOAuth.php;h=495121374edadeea90b1478c13b55c4fc34b7f67;hb=e9457db8b2f6999ecf01d792ea13adeef8126844;hp=e9c4bdfaec2d19cb5fb747757d41a53963eaee73;hpb=53d45d7ffbe6bcdf336a0e666942557c11cf909b;p=quix0rs-gnu-social.git diff --git a/extlib/OAuth.php b/extlib/OAuth.php index e9c4bdfaec..495121374e 100644 --- a/extlib/OAuth.php +++ b/extlib/OAuth.php @@ -3,8 +3,10 @@ /* Generic exception class */ -class OAuthException extends Exception { - // pass +if (!class_exists('OAuthException')) { + class OAuthException extends Exception { + // pass + } } class OAuthConsumer { @@ -85,7 +87,23 @@ abstract class OAuthSignatureMethod { */ public function check_signature($request, $consumer, $token, $signature) { $built = $this->build_signature($request, $consumer, $token); - return $built == $signature; + + // Check for zero length, although unlikely here + if (strlen($built) == 0 || strlen($signature) == 0) { + return false; + } + + if (strlen($built) != strlen($signature)) { + return false; + } + + // Avoid a timing leak with a (hopefully) time insensitive compare + $result = 0; + for ($i = 0; $i < strlen($signature); $i++) { + $result |= ord($built{$i}) ^ ord($signature{$i}); + } + + return $result == 0; } } @@ -243,7 +261,7 @@ class OAuthRequest { ? 'http' : 'https'; $http_url = ($http_url) ? $http_url : $scheme . - '://' . $_SERVER['HTTP_HOST'] . + '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; @@ -383,7 +401,7 @@ class OAuthRequest { $scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http'; $port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80'); - $host = (isset($parts['host'])) ? $parts['host'] : ''; + $host = (isset($parts['host'])) ? strtolower($parts['host']) : ''; $path = (isset($parts['path'])) ? $parts['path'] : ''; if (($scheme == 'https' && $port != '443')