ZF-11271: Wrong calculation of OAuth signature when using arrays as parameter values

Issue Type: Bug Created: 2011-04-07T19:45:19.000+0000 Last Updated: 2011-05-02T22:38:22.000+0000 Status: Open Fix version(s): Reporter: Dominik Blunk (dblunk) Assignee: Pádraic Brady (padraic) Tags: - Zend_Oauth

Related issues: Attachments:


When using arrays as parameter values (POST or GET, I guess PUT too) the calculated OAuth signature is wrong. This is due to the fact that the method Zend_Oauth_Signature_SignatureAbstract::_getBaseSignatureString() does not handle array values in a correct way - it simply executes $encodedParams[Zend_Oauth_Http_Utility::urlEncode($key)] = Zend_Oauth_Http_Utility::urlEncode($value) and this will throw the following warning: PHP Warning: rawurlencode() expects parameter 1 to be string, array given in /var/www/easycuc/library/Zend/Oauth/Http/Utility.php on line 213.

When passing a parameter "data" = array('main' => array('A', 'B', 'C')), the base uri looks like this: GET& (decoded:…)

but should be: GET& (decoded:…)

I fixed this by changing the function Zend_Oauth_Signature_SignatureAbstract::_getBaseSignatureString() in the following way:

protected function _getBaseSignatureString(array $params, $method = null, $url = null) { $encodedParams = array(); foreach ($params as $key => $value) { if (is_array($value)) { $arr = Zend_Oauth_Http_Utility::flattenParametersArray($value, $key); foreach ($arr as $arrParam) { $encodedParams[Zend_Oauth_Http_Utility::urlEncode($arrParam[0])] = Zend_Oauth_Http_Utility::urlEncode($arrParam[1]); } } else { $encodedParams[Zend_Oauth_Http_Utility::urlEncode($key)] = Zend_Oauth_Http_Utility::urlEncode($value); } } $baseStrings = array(); if (isset($method)) { $baseStrings[] = strtoupper($method); } if (isset($url)) { // should normalise later $baseStrings[] = Zend_Oauth_Http_Utility::urlEncode( $this->normaliseBaseSignatureUrl($url) ); } if (isset($encodedParams['oauth_signature'])) { unset($encodedParams['oauth_signature']); } $baseStrings[] = Zend_Oauth_Http_Utility::urlEncode( $this->_toByteValueOrderedQueryString($encodedParams) ); return implode('&', $baseStrings); }

Additionally I added the function flattenParametersArray to Zend_Oauth_Http_Utility (which is almost a 1:1 copy of Zend_Http_Client::_flattenParametersArray()):

/** * Convert an array of parameters into a flat array of (key, value) pairs * * Will flatten a potentially multi-dimentional array of parameters (such * as POST parameters) into a flat array of (key, value) paris. In case * of multi-dimentional arrays, square brackets ([]) will be added to the * key to indicate an array. * * @since 1.9 * * @param array $parray * @param string $prefix * @return array */ public static function flattenParametersArray($parray, $prefix = null) { if (! is_array($parray)) { return $parray; }

    $parameters = array();

    foreach($parray as $name => $value) {

        // Calculate array key
        if ($prefix) {
            $key = $prefix . "[$name]";
        } else {
            $key = $name;

        if (is_array($value)) {
            $parameters = array_merge($parameters, self::flattenParametersArray($value, $key));

        } else {
            $parameters[] = array($key, $value);
    return $parameters;

I look forward to your feedback :-)


No comments to display

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.