Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-69709

QOAuth1 generates non-RFC 5849 compliant request

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3: Somewhat important
    • Resolution: Done
    • Affects Version/s: 5.9, 5.10.1, 5.11.1
    • Fix Version/s: 5.12.0 Beta 4
    • Labels:
      None
    • Environment:
      Diagnosed over Qt 5.10.1 on macOS 10.12; checked with the source of qt/qtnetworkauth.
    • Commits:
      51a0b723032640e3b3f99adf3e392ed7d8ceec33

      Description

      According to RFC 5849 ยง3.5,

      When making an OAuth-authenticated request, protocol parameters as well as any other parameter using the "oauth_" prefix SHALL be included in the request using one and only one of the following locations, listed in order of decreasing preference:
      1. The HTTP "Authorization" header field as described in Section 3.5.1.
      2. The HTTP request entity-body as described in Section 3.5.2.

      However, in QOAuth1::continueGrantWithVerifier, oauth_verifier is being sent as a HTTP POST parameter, which is not allowed in the RFC standard. It should be appended to the Authorization headers instead.

      Also, in QOAuth1Private::requestToken line 179,

      headers.insert(Key::oauthCallback, q->callback());

      oauth_callback was inserted into request header regardless of the current status. It is not causing problems for now, but is still an uncommon practice and possibly need to be fixed.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

            • Assignee:
              rschiang Poren Chiang
              Reporter:
              rschiang Poren Chiang
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Gerrit Reviews

                There are no open Gerrit changes