summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOmer Katz <omer.drow@gmail.com>2018-12-13 18:29:50 +0200
committerGitHub <noreply@github.com>2018-12-13 18:29:50 +0200
commit8aca902011981a236cedf32d0c859078c7881b71 (patch)
treed10c1d33a5ee1358b2c564a6202a4997490ec1de
parent5d9a9c90ba04f85477c7859a3cc7b13577fc24f9 (diff)
downloadoauthlib-8aca902011981a236cedf32d0c859078c7881b71.tar.gz
Update comments regarding OAuth Request Body Hash. (#628)
-rw-r--r--oauthlib/oauth1/rfc5849/__init__.py4
1 files changed, 3 insertions, 1 deletions
diff --git a/oauthlib/oauth1/rfc5849/__init__.py b/oauthlib/oauth1/rfc5849/__init__.py
index 887ab69..7313286 100644
--- a/oauthlib/oauth1/rfc5849/__init__.py
+++ b/oauthlib/oauth1/rfc5849/__init__.py
@@ -173,10 +173,12 @@ class Client(object):
params.append(('oauth_verifier', self.verifier))
# providing body hash for requests other than x-www-form-urlencoded
- # as described in http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
+ # as described in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-4.1.1
# 4.1.1. When to include the body hash
# * [...] MUST NOT include an oauth_body_hash parameter on requests with form-encoded request bodies
# * [...] SHOULD include the oauth_body_hash parameter on all other requests.
+ # Note that SHA-1 is vulnerable. The spec acknowledges that in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-6.2
+ # At this time, no further effort has been made to replace SHA-1 for the OAuth Request Body Hash extension.
content_type = request.headers.get('Content-Type', None)
content_type_eligible = content_type and content_type.find('application/x-www-form-urlencoded') < 0
if request.body is not None and content_type_eligible: