/** * attempt to build up a request from what was passed to the server */ public static function from_request($http_method = NULL, $http_url = NULL, $parameters = NULL) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; $http_url = $http_url ? $http_url : $scheme . '://' . $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; $http_method = $http_method ? $http_method : $_SERVER['REQUEST_METHOD']; // We weren't handed any parameters, so let's find the ones relevant to // this request. // If you run XML-RPC or similar you should use this to provide your own // parsed parameter-list if (!$parameters) { // Find request headers $request_headers = OAuthUtil::get_headers(); // Parse the query-string to find GET parameters $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); // It's a POST request of the proper content-type, so parse POST // parameters and add those overriding any duplicates from GET if ($http_method == "POST" && isset($request_headers['Content-Type']) && strstr($request_headers['Content-Type'], 'application/x-www-form-urlencoded')) { $post_data = OAuthUtil::parse_parameters(file_get_contents(self::$POST_INPUT)); $parameters = array_merge($parameters, $post_data); } // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (isset($request_headers['Authorization']) && substr($request_headers['Authorization'], 0, 6) == 'OAuth ') { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } return new OAuthRequest($http_method, $http_url, $parameters); }
public function testSplitHeader() { $this->assertEquals(array('oauth_foo' => 'bar', 'oauth_baz' => 'bla,rgh'), OAuthUtil::split_header('OAuth realm="",oauth_foo=bar,oauth_baz="bla,rgh"')); $this->assertEquals(array(), OAuthUtil::split_header('OAuth realm="",foo=bar,baz="bla,rgh"')); $this->assertEquals(array('foo' => 'bar', 'baz' => 'bla,rgh'), OAuthUtil::split_header('OAuth realm="",foo=bar,baz="bla,rgh"', false)); $this->assertEquals(array('oauth_foo' => 'hi there'), OAuthUtil::split_header('OAuth realm="",oauth_foo=hi+there,foo=bar,baz="bla,rgh"')); }
function handleOAuthBodyPOST($oauth_consumer_key, $oauth_consumer_secret) { $request_headers = OAuthUtil::get_headers(); // print_r($request_headers); // Must reject application/x-www-form-urlencoded if ($request_headers['Content-type'] == 'application/x-www-form-urlencoded' ) { throw new Exception("OAuth request body signing must not use application/x-www-form-urlencoded"); } if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); // echo("HEADER PARMS=\n"); // print_r($header_parameters); $oauth_body_hash = $header_parameters['oauth_body_hash']; // echo("OBH=".$oauth_body_hash."\n"); } if ( ! isset($oauth_body_hash) ) { throw new Exception("OAuth request body signing requires oauth_body_hash body"); } // Verify the message signature $store = new TrivialOAuthDataStore(); $store->add_consumer($oauth_consumer_key, $oauth_consumer_secret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); global $LastOAuthBodyBaseString; $LastOAuthBodyBaseString = $request->get_signature_base_string(); // echo($LastOAuthBodyBaseString."\n"); try { $server->verify_request($request); } catch (Exception $e) { $message = $e->getMessage(); throw new Exception("OAuth signature failed: " . $message); } $postdata = file_get_contents('php://input'); // echo($postdata); $hash = base64_encode(sha1($postdata, TRUE)); if ( $hash != $oauth_body_hash ) { throw new Exception("OAuth oauth_body_hash mismatch"); } return $postdata; }
/** * attempt to build up a request from what was passed to the server */ public static function from_request($http_method = NULL, $http_url = NULL, $parameters = NULL) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; $port = ""; if ($_SERVER['SERVER_PORT'] != "80" && $_SERVER['SERVER_PORT'] != "443" && strpos(':', $_SERVER['HTTP_HOST']) < 0) { $port = ':' . $_SERVER['SERVER_PORT']; } @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . $port . $_SERVER['REQUEST_URI']; @$http_method or $http_method = $_SERVER['REQUEST_METHOD']; // We weren't handed any parameters, so let's find the ones relevant to // this request. // If you run XML-RPC or similar you should use this to provide your own // parsed parameter-list if (!$parameters) { // Find request headers $request_headers = OAuthUtil::get_headers(); // Parse the query-string to find GET parameters $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); $ourpost = $_POST; // Deal with magic_quotes // http://www.php.net/manual/en/security.magicquotes.disabling.php if (get_magic_quotes_gpc()) { $outpost = array(); foreach ($_POST as $k => $v) { $v = stripslashes($v); $ourpost[$k] = $v; } } // Add POST Parameters if they exist $parameters = array_merge($parameters, $ourpost); // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } return new OAuthRequest($http_method, $http_url, $parameters); }
function handle_oauth_body_post($oauthconsumerkey, $oauthconsumersecret, $body, $requestheaders = null) { if ($requestheaders == null) { $requestheaders = OAuthUtil::get_headers(); } // Must reject application/x-www-form-urlencoded. if (isset($requestheaders['Content-type'])) { if ($requestheaders['Content-type'] == 'application/x-www-form-urlencoded') { throw new OAuthException("OAuth request body signing must not use application/x-www-form-urlencoded"); } } if (@substr($requestheaders['Authorization'], 0, 6) == "OAuth ") { $headerparameters = OAuthUtil::split_header($requestheaders['Authorization']); $oauthbodyhash = $headerparameters['oauth_body_hash']; } if (!isset($oauthbodyhash)) { throw new OAuthException("OAuth request body signing requires oauth_body_hash body"); } // Verify the message signature. $store = new TrivialOAuthDataStore(); $store->add_consumer($oauthconsumerkey, $oauthconsumersecret); $server = new OAuthServer($store); $method = new OAuthSignatureMethod_HMAC_SHA1(); $server->add_signature_method($method); $request = OAuthRequest::from_request(); try { $server->verify_request($request); } catch (\Exception $e) { $message = $e->getMessage(); throw new OAuthException("OAuth signature failed: " . $message); } $postdata = $body; $hash = base64_encode(sha1($postdata, true)); if ($hash != $oauthbodyhash) { throw new OAuthException("OAuth oauth_body_hash mismatch"); } return $postdata; }
/** * attempt to build up a request from what was passed to the server */ public static function from_request($http_method = NULL, $http_url = NULL, $parameters = NULL) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; @$http_method or $http_method = $_SERVER['REQUEST_METHOD']; if (!$parameters) { $request_headers = OAuthUtil::get_headers(); // Parse the query-string to find GET parameters $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); // It's a POST request of the proper content-type, so parse POST // parameters and add those overriding any duplicates from GET if ($http_method == "POST" and @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded")) { $post_data = OAuthUtil::parse_parameters(file_get_contents(self::$POST_INPUT)); $parameters = array_merge($parameters, $post_data); } // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } return new OAuthRequest($http_method, $http_url, $parameters); }
public static function from_request($http_method = null, $http_url = null, $parameters = null) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; @$http_method or $http_method = $_SERVER['REQUEST_METHOD']; if (!$parameters) { $request_headers = OAuthUtil::get_headers(); $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); if ($http_method == "POST" && @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded")) { $post_data = OAuthUtil::parse_parameters(file_get_contents(self::$POST_INPUT)); $parameters = array_merge($parameters, $post_data); } if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } return new OAuthRequest($http_method, $http_url, $parameters); }
/** * attempt to build up a request from what was passed to the server */ public static function from_request($http_method = NULL, $http_url = NULL, $parameters = NULL) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'] . $_SERVER['REQUEST_URI']; @$http_method or $http_method = $_SERVER['REQUEST_METHOD']; // We weren't handed any parameters, so let's find the ones relevant to // this request. // If you run XML-RPC or similar you should use this to provide your own // parsed parameter-list if (!$parameters) { // Find request headers $request_headers = OAuthUtil::get_headers(); // Parse the query-string to find GET parameters $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); // It's a POST request of the proper content-type, so parse POST // parameters and add those overriding any duplicates from GET if ($http_method == "POST" && @strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded")) { $post_data = OAuthUtil::parse_parameters(file_get_contents(self::$POST_INPUT)); $parameters = array_merge($parameters, $post_data); } // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } // fix for friendica redirect system // FIXME or don't, but figure out if this is absolutely necessary and act accordingly $http_url = substr($http_url, 0, strpos($http_url, $parameters['q']) + strlen($parameters['q'])); unset($parameters['q']); return new OAuthRequest($http_method, $http_url, $parameters); }
function oauth_get_params() { global $CONFIG; // Find request headers $request_headers = OAuthUtil::get_headers(); // start with an empty array $parameters = array(); /*** *** This next part is a hack. This ignores the QUERY_STRING because it *** gets messed up by the apache mod_rewrite rules for page views, and *** you end up with 'handler' and 'request' variables on the parameters *** stack. This in turn messes up OAuth's signature base string *** generation algorithm, causing things to fail. I have a feeling *** that this is going to bite me back some day, but I'm not sure *** how or where, especially if this pam module gets called from *** somewhere other than the API chain in a way that makes any sense. ***/ // parse query parameters $querystr = ''; if ($_SERVER['REQUEST_URI']) { $qparts = explode('?', $_SERVER['REQUEST_URI'], 2); // split on the question mark to get the real query parameters before Apache mangles them if (count($qparts) == 2) { $querystr = $qparts[1]; } } $parameters = OAuthUtil::parse_parameters($querystr); /*** *** ***/ // It's a POST request of the proper content-type, so parse POST // parameters and add those overriding any duplicates from GET if (@strstr($request_headers["Content-Type"], "application/x-www-form-urlencoded")) { $post_data = OAuthUtil::parse_parameters(file_get_contents(OAuthRequest::$POST_INPUT)); $parameters = array_merge($parameters, $post_data); } // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } return $parameters; }
/** * HTTP リクエストが mixi から送信された正当なものであるかどうかを検証します。 * mixi モバイルアプリを実装する上で、このメソッドはリクエスト毎に必ず実行して下さい。 * * @param int $type 署名方式。Mars_OAuthProvider::SIGNATURE_* 定数を指定。 * @throws Mars_UnsupportedException サポートされていない署名形式が指定された場合に発生。 * @link http://developer.mixi.co.jp/appli/spec/mob/validate-oauth-signature OAuth Signature の検証方法について * @link http://developer.mixi.co.jp/appli/spec/mob/for_partners/photo_upload_api アプリからフォトアップロード機能について * @link http://developer.mixi.co.jp/appli/spec/mob/for_partners/lifecycle_event ライフサイクルイベントについて * @see Mars_OAuthProvider::isAuthorizaed() * @author Naomichi Yamakita <*****@*****.**> */ public function isAuthorized($type = self::SIGNATURE_HMAC) { $result = FALSE; switch ($type) { case self::SIGNATURE_HMAC: $authorization = $this->request->getHeader('Authorization'); // Authorization ヘッダに含まれるパラメータを連想配列に変換 preg_match_all('/([a-z_]+)="([^"]+)"/', $authorization, $matches); if (sizeof($matches[0])) { $attributes = array_combine($matches[1], $matches[2]); $parameters = array(); $parameters['oauth_nonce'] = $attributes['oauth_nonce']; $parameters['oauth_signature_method'] = $attributes['oauth_signature_method']; $parameters['oauth_timestamp'] = $attributes['oauth_timestamp']; $parameters['oauth_version'] = $attributes['oauth_version']; $parameters['opensocial_app_id'] = Mars_MixiMobileApp::getApplicationId(); $parameters['opensocial_owner_id'] = Mars_MixiMobileApp::getOwnerId(); $parameters += $this->request->getQuery(); $method = $this->request->getRequestMethod(); $uri = $this->request->getURL(FALSE); $request = OAuthRequest::from_consumer_and_token($this->_consumer, NULL, $method, $uri, $parameters); $request->sign_request(new OAuthSignatureMethod_HMAC_SHA1(), $this->_consumer, NULL); $buildSignature = @$request->get_parameter('oauth_signature'); $requestSignature = urldecode($attributes['oauth_signature']); if ($buildSignature === $requestSignature) { $result = TRUE; } } break; case self::SIGNATURE_RSA_PC: $request = OAuthRequest::from_request(NULL, NULL, array_merge($_GET, $_POST)); // 不正なリクエスト時に 'Undefined index: oauth_signature' エラーが起こる不具合 (r525 で確認済み) があるため、エラー制御演算子を付けておく $signature = @$request->get_parameter('oauth_signature'); if (!is_null($signature)) { $signatureMethod = new Mars_MixiPCSignature(); $result = $signatureMethod->check_signature($request, NULL, NULL, $signature); } break; case self::SIGNATURE_RSA_TOUCH: $request = OAuthRequest::from_request(NULL, NULL, array_merge($_GET, $_POST)); $signature = @$request->get_parameter('oauth_signature'); if (!is_null($signature)) { $signatureMethod = new Mars_MixiTouchSignature(); $result = $signatureMethod->check_signature($request, NULL, NULL, $signature); } break; case self::SIGNATURE_RSA_PHOTO_UPLOAD: $request = OAuthRequest::from_request(); $signature = @$request->get_parameter('oauth_signature'); if (!is_null($signature)) { $signatureMethod = new Mars_MixiFileUploadSignature(); $result = $signatureMethod->check_signature($request, NULL, NULL, $signature); } break; case self::SIGNATURE_RSA_LIFECYCLE_EVENT: if ($this->request->getParameter('opensocial_owner_id') !== NULL) { break; } if ($this->request->getParameter('opensocial_viewer_id') !== NULL) { break; } // ライフサイクルイベントは mixi から POST リクエストが送信される // (OAuth の仕様上は POST データを署名生成のアルゴリズムに使用することが規定されているが、mixi アプリが仕様に準拠していないため QueryString のみを使用する) $requestHeaders = OAuthUtil::get_headers(); $parameters = OAuthUtil::parse_parameters($this->request->getEnvironment('QUERY_STRING')); if (isset($requestHeaders['Authorization']) && substr($requestHeaders['Authorization'], 0, 6) == 'OAuth ') { $headerParameters = OAuthUtil::split_header($requestHeaders['Authorization'], FALSE); $parameters = array_merge($parameters, $headerParameters); $request = OAuthRequest::from_request(NULL, NULL, $parameters); $signature = $request->get_parameter('oauth_signature'); if (!is_null($signature)) { $signatureMethod = new Mars_MixiLifecycleEventSignature(); $result = $signatureMethod->check_signature($request, NULL, NULL, $signature); } } break; default: $message = sprintf('Signature format is not supported. [%s]', $type); throw new Mars_UnsupportedException($message); break; } return $result; }
/** * attempt to build up a request from what was passed to the server */ public static function from_request($http_method = NULL, $http_url = NULL, $parameters = NULL) { $scheme = !isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on" ? 'http' : 'https'; // $port = ""; // if ( $_SERVER['SERVER_PORT'] != "80" && $_SERVER['SERVER_PORT'] != "443" ) { // $port = ':' . $_SERVER['SERVER_PORT'] ; // } @$http_url or $http_url = $scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; @$http_method or $http_method = $_SERVER['REQUEST_METHOD']; // We weren't handed any parameters, so let's find the ones relevant to // this request. // If you run XML-RPC or similar you should use this to provide your own // parsed parameter-list if (!$parameters) { // Find request headers $request_headers = OAuthUtil::get_headers(); // Parse the query-string to find GET parameters $parameters = OAuthUtil::parse_parameters($_SERVER['QUERY_STRING']); // Add POST Parameters if they exist $parameters = array_merge($parameters, $_POST); // We have a Authorization-header with OAuth data. Parse the header // and add those overriding any duplicates from GET or POST if (@substr($request_headers['Authorization'], 0, 6) == "OAuth ") { $header_parameters = OAuthUtil::split_header($request_headers['Authorization']); $parameters = array_merge($parameters, $header_parameters); } } return new OAuthRequest($http_method, $http_url, $parameters); }