Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-61125

QOAuth1 creates an invalid signature for percent encoded query

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • P2: Important
    • 5.9.2
    • 5.8.0
    • Network: Authentication
    • None
    • 61a1f8ee91a33734f12c14b25ceaff3ae05174e3

    Description

      I'm using QOAuth1 with a web service (Twitter) that requires URLs to be percent encoded. If I use any special characters in the query, the server rejects the request due to an invalid signature.

      QOAuth1::get() doesn't automatically percent encode the URL, so you'd need to encode the query before passing it to QOauth1::get(). But QOAuth1Signature percent encodes all query parameters in the URL, even if they were already percent encoded. So if I want to include "@value" in the query, I would pass it as "%40value" to QOAuth1. Then QOAuth1Signature encodes it to "%2540value" and generates a wrong signature.

       

      #include <QtNetworkAuth>

void testOAuth() {
  QVariantMap oauthParams;
  oauthParams.insert("oauth_consumer_key", "consumerkey");
  oauthParams.insert("oauth_version", "1.0");
  oauthParams.insert("oauth_token", "token");
  oauthParams.insert("oauth_signature_method", "HMAC-SHA1");
  oauthParams.insert("oauth_nonce", "nonce");
  oauthParams.insert("oauth_timestamp", "time");

  QUrl url("http://example.com");
  QString key = "key";
  QString value = "@value";
  QOAuth1 auth;
  QList<QByteArray> results;
 
  {
    QUrlQuery query;
    query.addQueryItem(key, value);
    url.setQuery(query);
    results << auth.get(url)->url().toEncoded(); // http://example.com?key=@value
    QOAuth1Signature sig(url, QOAuth1Signature::HttpRequestMethod::Get, oauthParams);
    results << sig.hmacSha1().toBase64(); // SrVdwHkvs+tTuPls+i47bOD0H9Q=
  }

  {
    QUrlQuery query;
    query.addQueryItem(key, QUrl::toPercentEncoding(value));
    url.setQuery(query);
    results << auth.get(url)->url().toEncoded(); // http://example.com?key=%40value
    QOAuth1Signature sig(url, QOAuth1Signature::HttpRequestMethod::Get, oauthParams);
    results << sig.hmacSha1().toBase64(); // QHEARfCVhXa7L6Y1sirmOwkZRFE=
  }
}

      Attachments

        1. main.cpp
          0.3 kB
        2. TestOAuth.cpp
          0.7 kB
        3. TestOAuth.hpp
          0.3 kB
        For Gerrit Dashboard: QTBUG-61125
        # Subject Branch Project Status CR V
        197805,16 Fix signature-generation for already-percent-encoded queries 5.9 qt/qtnetworkauth Status: MERGED +2 0
        198369,1 Fix signature-generation for already-percent-encoded queries dev qt/qtnetworkauth Status: ABANDONED 0 0

        Activity

          People

            manordheim Mårten Nordheim
            sottka sottka
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes