Issues

ZF-10019: Zend_Oauth_Consumer::getAccessToken() overrides request parameters if oauth_verifier exists.

Description

I found a bug in Zend_Oauth.

Example code:


// get request token
...

// get access token
$consumer    = new Zend_Oauth_Consumer($config);
$accessToken = new Zend_Oauth_Http_AccessToken($consumer, array('method' => 'oauth.getAccessToken'));
$token       = $consumer->getAccessToken($_GET, $requestToken, null, $accessToken);

The second parameter for Zend_Oauth_Http_AccessToken::__construct() (array('method' => 'oauth.getAccessToken')) will be overriden if the request token contains the oauth_verifier parameter.

This happens in Zend/Oauth/Consumer.php:


// OAuth 1.0a Verifier
if (!is_null($authorizedToken->getParam('oauth_verifier'))) {
    $request->setParameters(array(
        'oauth_verifier' => $authorizedToken->getParam('oauth_verifier')
    ));
}

A simple fix for this issue:


// OAuth 1.0a Verifier
if (!is_null($authorizedToken->getParam('oauth_verifier'))) {
    $params = array_merge($request->getParameters(), array(
        'oauth_verifier' => $authorizedToken->getParam('oauth_verifier')
    ));
    
    $request->setParameters($params);
}

So the parameters will be merged and not overridden. This is necessary to get the digg API working.

Comments

Fixed in r22474. Thank you for the report!