Source: http://oauth.googlecode.com/svn/code/php/OAuth.php
Should we use PECL OAuth?
*/
public function check_signature($request, $consumer, $token, $signature) {
$built = $this->build_signature($request, $consumer, $token);
*/
public function check_signature($request, $consumer, $token, $signature) {
$built = $this->build_signature($request, $consumer, $token);
- return $built == $signature;
+
+ // Check for zero length, although unlikely here
+ if (strlen($built) == 0 || strlen($signature) == 0) {
+ return false;
+ }
+
+ if (strlen($built) != strlen($signature)) {
+ return false;
+ }
+
+ // Avoid a timing leak with a (hopefully) time insensitive compare
+ $result = 0;
+ for ($i = 0; $i < strlen($signature); $i++) {
+ $result |= ord($built{$i}) ^ ord($signature{$i});
+ }
+
+ return $result == 0;
? 'http'
: 'https';
$http_url = ($http_url) ? $http_url : $scheme .
? 'http'
: 'https';
$http_url = ($http_url) ? $http_url : $scheme .
- '://' . $_SERVER['HTTP_HOST'] .
+ '://' . $_SERVER['SERVER_NAME'] .
':' .
$_SERVER['SERVER_PORT'] .
$_SERVER['REQUEST_URI'];
':' .
$_SERVER['SERVER_PORT'] .
$_SERVER['REQUEST_URI'];
$scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http';
$port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80');
$scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http';
$port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80');
- $host = (isset($parts['host'])) ? $parts['host'] : '';
+ $host = (isset($parts['host'])) ? strtolower($parts['host']) : '';
$path = (isset($parts['path'])) ? $parts['path'] : '';
if (($scheme == 'https' && $port != '443')
$path = (isset($parts['path'])) ? $parts['path'] : '';
if (($scheme == 'https' && $port != '443')
if (isset($confirm)) {
if ($confirm == 'true') {
if (isset($confirm)) {
if ($confirm == 'true') {
- common_debug('Twitter bridge - callback confirmed.');
return $token;
} else {
throw new OAuthClientException(
return $token;
} else {
throw new OAuthClientException(
- 'Callback was not confirmed by Twitter.'
+ 'Callback was not confirmed by remote OAuth side.'
);
}
}
return $token;
} else {
throw new OAuthClientException(
);
}
}
return $token;
} else {
throw new OAuthClientException(
- 'Could not get a request token from Twitter.'
+ 'Could not get a request token from remote OAuth side.'
return $token;
} else {
throw new OAuthClientException(
return $token;
} else {
throw new OAuthClientException(
- 'Could not get a access token from Twitter.'
+ 'Could not get a access token from remote OAuth side.'