Restored double URL Encode

Fixes daviddesberg#596
jeroenvermeulen · Jan 8, 2024 · 49d98d5 · 49d98d5
1 parent 54b07ee
commit 49d98d5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 24 deletions.
diff --git a/src/OAuth/OAuth1/Signature/Signature.php b/src/OAuth/OAuth1/Signature/Signature.php
@@ -54,6 +54,7 @@ public function getSignature(UriInterface $uri, array $params, $method = 'POST')
         parse_str($uri->getQuery(), $queryStringData);
 
         $signatureData = array_merge($queryStringData, $params);
+        $this->ksortRecursive($signatureData);
 
         // determine base uri
         $baseUri = $uri->getScheme() . '://' . $uri->getRawAuthority();
@@ -66,27 +67,12 @@ public function getSignature(UriInterface $uri, array $params, $method = 'POST')
 
         $baseString = strtoupper($method) . '&';
         $baseString .= rawurlencode($baseUri) . '&';
-        $baseString .= http_build_query($signatureData, '', '&', PHP_QUERY_RFC3986);
+        // The url paramaters are first encoded induvidually by http_build_query, then the result is encoded again.
+        $baseString .= rawurlencode(http_build_query($signatureData, '', '&', PHP_QUERY_RFC3986));
 
         return base64_encode($this->hash($baseString));
     }
 
-    /**
-     * @return string
-     */
-    protected function buildSignatureDataString(array $signatureData)
-    {
-        $signatureString = '';
-        $delimiter = '';
-        foreach ($signatureData as $key => $value) {
-            $signatureString .= $delimiter . $key . '=' . $value;
-
-            $delimiter = '&';
-        }
-
-        return $signatureString;
-    }
-
     /**
      * @return string
      */
@@ -116,4 +102,21 @@ protected function hash($data)
                 );
         }
     }
+
+    /**
+     * Rescursively sorts an array by key.
+     * @param string $data
+     *
+     * @return string
+     */
+    protected function ksortRecursive(&$array, $sort_flags = SORT_REGULAR) {
+        if (!is_array($array)) {
+            return false;
+        }
+        ksort($array, $sort_flags);
+        foreach ($array as &$arr) {
+            $this->ksortRecursive($arr, $sort_flags);
+        }
+        return true;
+    }
 }
diff --git a/tests/Unit/OAuth1/Signature/SignatureTest.php b/tests/Unit/OAuth1/Signature/SignatureTest.php
@@ -41,7 +41,6 @@ public function testSetTokenSecret(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -79,7 +78,6 @@ public function testGetSignatureBareUri(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -117,7 +115,6 @@ public function testGetSignatureWithQueryString(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -155,7 +152,6 @@ public function testGetSignatureWithAuthority(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -196,7 +192,6 @@ public function testGetSignatureWithBarePathNonExplicitTrailingHostSlash(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -237,7 +232,6 @@ public function testGetSignatureWithBarePathWithExplicitTrailingHostSlash(): voi
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash
@@ -277,7 +271,6 @@ public function testGetSignatureNoTokenSecretSet(): void
 
     /**
      * @covers \OAuth\OAuth1\Signature\Signature::__construct
-     * @covers \OAuth\OAuth1\Signature\Signature::buildSignatureDataString
      * @covers \OAuth\OAuth1\Signature\Signature::getSignature
      * @covers \OAuth\OAuth1\Signature\Signature::getSigningKey
      * @covers \OAuth\OAuth1\Signature\Signature::hash