ZF-10019: Zend_Oauth_Consumer::getAccessToken() overrides request parameters if oauth_verifier exists.

Issue Type:
Bug
Created:
2010-06-20T10:59:00.000+0000
Last Updated:
2010-06-20T11:24:49.000+0000
Status:
Resolved
Fix version(s):
  • 1.10.6 (22/Jun/10)
Reporter:
Adrian Meyer (adrmey)
Assignee:
Pádraic Brady (padraic)
Tags:
  • Zend_Oauth
Related issues:
Attachments:

Description

I found a bug in Zend_Oauth.

Example code:


// get request token
...

// get access token
$consumer    = new Zend_Oauth_Consumer($config);
$accessToken = new Zend_Oauth_Http_AccessToken($consumer, array('method' => 'oauth.getAccessToken'));
$token       = $consumer->getAccessToken($_GET, $requestToken, null, $accessToken);

The second parameter for Zend_Oauth_Http_AccessToken::__construct() (array('method' => 'oauth.getAccessToken')) will be overriden if the request token contains the oauth_verifier parameter.

This happens in Zend/Oauth/Consumer.php:


// OAuth 1.0a Verifier
if (!is_null($authorizedToken->getParam('oauth_verifier'))) {
    $request->setParameters(array(
        'oauth_verifier' => $authorizedToken->getParam('oauth_verifier')
    ));
}

A simple fix for this issue:


// OAuth 1.0a Verifier
if (!is_null($authorizedToken->getParam('oauth_verifier'))) {
    $params = array_merge($request->getParameters(), array(
        'oauth_verifier' => $authorizedToken->getParam('oauth_verifier')
    ));
    
    $request->setParameters($params);
}

So the parameters will be merged and not overridden. This is necessary to get the digg API working.

Comments

Posted by Pádraic Brady (padraic) on 2010-06-20T11:24:41.000+0000

Fixed in r22474. Thank you for the report!