Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-65851

Possible wrong encoding/decoding of OAuth2 authorization code.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2: Important
    • Resolution: Out of scope
    • Affects Version/s: 5.9.0, 5.10.0
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      macOS 10.13.2

      Qt 5.9.1-5.10.0

      Description

      Issue may happen when QOAuth2AuthorizationCodeFlow receives OAuth2 authorization code and sends it back to get token.

      When QOAuthHttpServerReplyHandlerPrivate decodes OAuth2 authorization code from QUrlQuery with QUrl::ComponentFormattingOption::PrettyDecoded flags (QOAuthHttpServerReplyHandlerPrivate::_q_answerClient()).

      However QOAuth2AuthorizationCodeFlow encodes same authorization code into QUrlQuery using QUrl::ComponentFormattingOption::FullyEncoded flags (QOAuth2AuthorizationCodeFlow::requestAccessToken()). Maybe it can lead to corruption of authorization code.

      In my case if authorization code contains '/' symbol it will be encoded by OAuth2 server as '%2F' and will not be decoded inside QOAuthHttpServerReplyHandlerPrivate::_q_answerClient(). So it becomes '%252F' when encodes back and OAuth2 server will reject such authorisation code.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              jefernan Jesus Fernandez
              Reporter:
              tanshihaj tanshihaj
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There is 1 open Gerrit change