diff options
| author | Omer Katz <omer.drow@gmail.com> | 2018-12-13 18:29:50 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-12-13 18:29:50 +0200 |
| commit | 8aca902011981a236cedf32d0c859078c7881b71 (patch) | |
| tree | d10c1d33a5ee1358b2c564a6202a4997490ec1de | |
| parent | 5d9a9c90ba04f85477c7859a3cc7b13577fc24f9 (diff) | |
| download | oauthlib-8aca902011981a236cedf32d0c859078c7881b71.tar.gz | |
Update comments regarding OAuth Request Body Hash. (#628)
| -rw-r--r-- | oauthlib/oauth1/rfc5849/__init__.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/oauthlib/oauth1/rfc5849/__init__.py b/oauthlib/oauth1/rfc5849/__init__.py index 887ab69..7313286 100644 --- a/oauthlib/oauth1/rfc5849/__init__.py +++ b/oauthlib/oauth1/rfc5849/__init__.py @@ -173,10 +173,12 @@ class Client(object): params.append(('oauth_verifier', self.verifier)) # providing body hash for requests other than x-www-form-urlencoded - # as described in http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html + # as described in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-4.1.1 # 4.1.1. When to include the body hash # * [...] MUST NOT include an oauth_body_hash parameter on requests with form-encoded request bodies # * [...] SHOULD include the oauth_body_hash parameter on all other requests. + # Note that SHA-1 is vulnerable. The spec acknowledges that in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-6.2 + # At this time, no further effort has been made to replace SHA-1 for the OAuth Request Body Hash extension. content_type = request.headers.get('Content-Type', None) content_type_eligible = content_type and content_type.find('application/x-www-form-urlencoded') < 0 if request.body is not None and content_type_eligible: |