OAuth extlib updated and Twitter comments removed

Source: http://oauth.googlecode.com/svn/code/php/OAuth.php

Should we use PECL OAuth?

diff --git a/extlib/OAuth.php b/extlib/OAuth.php
index e9c4bdfaec2d19cb5fb747757d41a53963eaee73..9dc9a99b750ba6439c8dd8f704b5a9d0b9b8f0c1 100644 (file)
--- a/extlib/OAuth.php
+++ b/extlib/OAuth.php
@@ -85,7 +85,23 @@ abstract class OAuthSignatureMethod {
    */
   public function check_signature($request, $consumer, $token, $signature) {
     $built = $this->build_signature($request, $consumer, $token);
-    return $built == $signature;
+
+    // Check for zero length, although unlikely here
+    if (strlen($built) == 0 || strlen($signature) == 0) {
+      return false;
+    }
+
+    if (strlen($built) != strlen($signature)) {
+      return false;
+    }
+
+    // Avoid a timing leak with a (hopefully) time insensitive compare
+    $result = 0;
+    for ($i = 0; $i < strlen($signature); $i++) {
+      $result |= ord($built{$i}) ^ ord($signature{$i});
+    }
+
+    return $result == 0;
   }
 }
 
@@ -243,7 +259,7 @@ class OAuthRequest {
               ? 'http'
               : 'https';
     $http_url = ($http_url) ? $http_url : $scheme .
-                              '://' . $_SERVER['HTTP_HOST'] .
+                              '://' . $_SERVER['SERVER_NAME'] .
                               ':' .
                               $_SERVER['SERVER_PORT'] .
                               $_SERVER['REQUEST_URI'];
@@ -383,7 +399,7 @@ class OAuthRequest {
 
     $scheme = (isset($parts['scheme'])) ? $parts['scheme'] : 'http';
     $port = (isset($parts['port'])) ? $parts['port'] : (($scheme == 'https') ? '443' : '80');
-    $host = (isset($parts['host'])) ? $parts['host'] : '';
+    $host = (isset($parts['host'])) ? strtolower($parts['host']) : '';
     $path = (isset($parts['path'])) ? $parts['path'] : '';
 
     if (($scheme == 'https' && $port != '443')

diff --git a/lib/oauthclient.php b/lib/oauthclient.php
index e14f6733927ad547a85104df02455cab5072b3bb..0233a4b2be9468737783019f4919380bc21bfa1f 100644 (file)
--- a/lib/oauthclient.php
+++ b/lib/oauthclient.php
@@ -118,18 +118,17 @@ class OAuthClient
 
             if (isset($confirm)) {
                 if ($confirm == 'true') {
-                    common_debug('Twitter bridge - callback confirmed.');
                     return $token;
                 } else {
                     throw new OAuthClientException(
-                        'Callback was not confirmed by Twitter.'
+                        'Callback was not confirmed by remote OAuth side.'
                     );
                 }
             }
             return $token;
         } else {
             throw new OAuthClientException(
-                'Could not get a request token from Twitter.'
+                'Could not get a request token from remote OAuth side.'
             );
         }
     }
@@ -181,7 +180,7 @@ class OAuthClient
             return $token;
         } else {
             throw new OAuthClientException(
-                'Could not get a access token from Twitter.'
+                'Could not get a access token from remote OAuth side.'
             );
         }
     }