diff options
| author | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2018-12-14 13:13:27 +0100 |
|---|---|---|
| committer | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2018-12-14 13:13:27 +0100 |
| commit | a068c0b0b757db9f2df45442eb5833ee978568ae (patch) | |
| tree | 8037c6026e5404ba7ae1dfcc91b910faf14549f4 | |
| parent | ac23d0973b441cd2afdcabe24f474147eada8242 (diff) | |
| parent | 8aca902011981a236cedf32d0c859078c7881b71 (diff) | |
| download | oauthlib-a068c0b0b757db9f2df45442eb5833ee978568ae.tar.gz | |
Merge remote-tracking branch 'upstream/master' into 601-pkce-support
| -rw-r--r-- | oauthlib/oauth1/rfc5849/__init__.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/oauthlib/oauth1/rfc5849/__init__.py b/oauthlib/oauth1/rfc5849/__init__.py index 887ab69..7313286 100644 --- a/oauthlib/oauth1/rfc5849/__init__.py +++ b/oauthlib/oauth1/rfc5849/__init__.py @@ -173,10 +173,12 @@ class Client(object): params.append(('oauth_verifier', self.verifier)) # providing body hash for requests other than x-www-form-urlencoded - # as described in http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html + # as described in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-4.1.1 # 4.1.1. When to include the body hash # * [...] MUST NOT include an oauth_body_hash parameter on requests with form-encoded request bodies # * [...] SHOULD include the oauth_body_hash parameter on all other requests. + # Note that SHA-1 is vulnerable. The spec acknowledges that in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-6.2 + # At this time, no further effort has been made to replace SHA-1 for the OAuth Request Body Hash extension. content_type = request.headers.get('Content-Type', None) content_type_eligible = content_type and content_type.find('application/x-www-form-urlencoded') < 0 if request.body is not None and content_type_eligible: |