Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-65851

Possible wrong encoding/decoding of OAuth2 authorization code.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Out of scope
    • P2: Important
    • None
    • 5.9.0, 5.10.0
    • Network: Authentication
    • None
    • macOS 10.13.2

      Qt 5.9.1-5.10.0

    Description

      Issue may happen when QOAuth2AuthorizationCodeFlow receives OAuth2 authorization code and sends it back to get token.

      When QOAuthHttpServerReplyHandlerPrivate decodes OAuth2 authorization code from QUrlQuery with QUrl::ComponentFormattingOption::PrettyDecoded flags (QOAuthHttpServerReplyHandlerPrivate::_q_answerClient()).

      However QOAuth2AuthorizationCodeFlow encodes same authorization code into QUrlQuery using QUrl::ComponentFormattingOption::FullyEncoded flags (QOAuth2AuthorizationCodeFlow::requestAccessToken()). Maybe it can lead to corruption of authorization code.

      In my case if authorization code contains '/' symbol it will be encoded by OAuth2 server as '%2F' and will not be decoded inside QOAuthHttpServerReplyHandlerPrivate::_q_answerClient(). So it becomes '%252F' when encodes back and OAuth2 server will reject such authorisation code.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            jefernan Jesus Fernandez
            tanshihaj tanshihaj
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There is 1 open Gerrit change