diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php index 3a0612f..661ceab 100644 --- a/lib/class-wp-json-authentication-oauth1.php +++ b/lib/class-wp-json-authentication-oauth1.php @@ -50,7 +50,7 @@ public function parse_header( $header ) { $params = array(); if ( preg_match_all( '/(oauth_[a-z_-]*)=(:?"([^"]*)"|([^,]*))/', $header, $matches ) ) { foreach ($matches[1] as $i => $h) { - $params[$h] = urldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); + $params[$h] = rawurldecode( empty($matches[3][$i]) ? $matches[4][$i] : $matches[3][$i] ); } if (isset($params['realm'])) { unset($params['realm']); @@ -365,13 +365,14 @@ public function generate_request_token( $params ) { // Generate token $key = apply_filters( 'json_oauth1_request_token_key', wp_generate_password( self::TOKEN_KEY_LENGTH, false ) ); + $callback = $params['oauth_callback']; $data = array( 'key' => $key, 'secret' => wp_generate_password( self::TOKEN_SECRET_LENGTH, false ), 'consumer' => $consumer->ID, 'authorized' => false, 'expiration' => time() + 24 * HOUR_IN_SECONDS, - 'callback' => null, + 'callback' => $callback, 'verifier' => null, 'user' => null, ); @@ -551,15 +552,12 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $params = array_merge( $params, $oauth_params ); - $base_request_uri = rawurlencode( get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ) ); + $base_request_uri = get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ); // get the signature provided by the consumer and remove it from the parameters prior to checking the signature $consumer_signature = rawurldecode( $params['oauth_signature'] ); unset( $params['oauth_signature'] ); - // normalize parameter key/values - array_walk_recursive( $params, array( $this, 'normalize_parameters' ) ); - // sort parameters if ( ! uksort( $params, 'strcmp' ) ) return new WP_Error( 'json_oauth1_failed_parameter_sort', __( 'Invalid Signature - failed to sort parameters' ), array( 'status' => 401 ) ); @@ -567,7 +565,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul $query_string = $this->create_signature_string( $params ); $token = (array) $token; - $string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string; + $string_to_sign = $http_method . '&' . rawurlencode( $base_request_uri ) . '&' . rawurlencode( $query_string ); $key_parts = array( $consumer->secret, ( $token ? $token['secret'] : '' ) @@ -604,7 +602,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul * @return string Signature string */ public function create_signature_string( $params ) { - return implode( '%26', $this->join_with_equals_sign( $params ) ); // join with ampersand + return implode( '&', $this->join_with_equals_sign( $params ) ); // join with ampersand } /** @@ -624,27 +622,13 @@ public function join_with_equals_sign( $params, $query_params = array(), $key = if ( $key ) { $param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array } - $string = $param_key . '=' . $param_value; // join with equals sign - $query_params[] = urlencode( $string ); + $string = rawurlencode( $param_key ) . '=' . rawurlencode( $param_value ); // join with equals sign + $query_params[] = $string; } } return $query_params; } - /** - * Normalize each parameter by assuming each parameter may have already been encoded, so attempt to decode, and then - * re-encode according to RFC 3986 - * - * @since 2.1 - * @see rawurlencode() - * @param string $key - * @param string $value - */ - protected function normalize_parameters( &$key, &$value ) { - $key = rawurlencode( rawurldecode( $key ) ); - $value = rawurlencode( rawurldecode( $value ) ); - } - /** * Verify that the timestamp and nonce provided with the request are valid *