HMAC-SHA1 Verification does not follow OAuth Core specification

Bug #435992 reported by dobey
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python oauth library
Unknown
Unknown
python-oauth (Ubuntu)
Undecided
dobey
Karmic
Undecided
dobey

Bug Description

Binary package hint: python-oauth

OAuth Core 1.0 specifies verification of the HMAC-SHA1 signature be done by comparing the digest bytes, after the parameter value is decoded from it's URL encoding, and then base64 decoded. The implementation in oauth.py is only comparing the base64 encoded strings.

Related branches

dobey (dobey)
Changed in python-oauth (Ubuntu):
status: New → In Progress
assignee: nobody → Rodney Dawes (dobey)
James Westby (james-w)
Changed in python-oauth (Ubuntu Karmic):
milestone: none → ubuntu-9.10-beta
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-oauth - 1.0a~svn1124-0ubuntu2

---------------
python-oauth (1.0a~svn1124-0ubuntu2) karmic; urgency=low

  * oauth/oauth.py: Fix typo and argument handling creating invalid
    OAuthRequests with from_consumer_and_token staticmethod().
    (LP: #435994, http://code.google.com/p/oauth/issues/detail?id=117)
  * oauth/oauth.py: Fix HMAC-SHA1 verification to follow OAuth Core 1.0 spec
    (LP: #435992, http://code.google.com/p/oauth/issues/detail?id=125)

python-oauth (1.0a~svn1124-0ubuntu1) karmic; urgency=low

  * New upsream snapshot, includes partial fix for issue 117, and fixes
    an error being raised when no verifier is sent to the server

 -- Rodney Dawes <email address hidden> Thu, 24 Sep 2009 14:15:33 -0400

Changed in python-oauth (Ubuntu Karmic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.