ZF-10247: Zend_Http_Client URL encoding of spaces (which RFC are we applying?)
In attempting to resolve a Zend_Oauth issue (uses a subclass of Zend_Http_Client), the original reporter noted that Zend_Http_Client uses http_build_query() to URL encode GET/POST parameters. This encodes all spaces as +, and not the percent encoding %20. The + encoding is not acceptable for OAuth or any other digitally signed protocol under RFC 3986. I'm currently investigating how live services and my own testing are not impacted by this but other implementations are - OAuth is a minefield for interoperability issues.
I am not a HTTP expert, but it seems a relatively simple task to switch from + to %20 (BC can be considered - not sure of any impact), and it will certainly prevent a number of dependent components suffering from unnoticed bugs. Consistency of URIs may not seem to matter from the perspective of general querying where + and %20 can be interpreted similarly, but the same is not true of protocols where URI parameters are digitially signed and interpreted strictly as-is in accordance with the latest RFC. This means that + and %20 alter the base signature of a URI depending on the encoding selected which feeds back to generated HMACs.
It would be great to get some feedback/opinions on the above since, not being an HTTP expert, I could be misunderstanding something. The only thing I am sure of is that PHP is fairly bad at applying RFCs consistently across all functions and Zend_Http_Client may be an unwitting victim of http_build_query() whose documentation does not clarify the RFC it applies. This should, without doubt, be fixed in ZF2 where these is no hesitation needed in making BC breaking changes given the continuing growth of digital signing in HTTP based protocols.
Once I figure out the compensatory measures employed by implementations like Twitter (unaffected by this), I can assess if a fix is absolutely necessary. If it is, the dependency on Zend_Http_Client will require copy-paste editing of the request() method if the above fix cannot be added. It would be great for ZF 2.0 if subclassing Zend_Http_Client was considered going forward and we could introduce more bit-size splits of concerns in the class - subclassing it is not all that easy to do without duplicating a lot of its code.