From 8aca902011981a236cedf32d0c859078c7881b71 Mon Sep 17 00:00:00 2001
From: Omer Katz <omer.drow@gmail.com>
Date: Thu, 13 Dec 2018 18:29:50 +0200
Subject: Update comments regarding OAuth Request Body Hash. (#628)

---
 oauthlib/oauth1/rfc5849/__init__.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/oauthlib/oauth1/rfc5849/__init__.py b/oauthlib/oauth1/rfc5849/__init__.py
index 887ab69..7313286 100644
--- a/oauthlib/oauth1/rfc5849/__init__.py
+++ b/oauthlib/oauth1/rfc5849/__init__.py
@@ -173,10 +173,12 @@ class Client(object):
             params.append(('oauth_verifier', self.verifier))
 
         # providing body hash for requests other than x-www-form-urlencoded
-        # as described in http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
+        # as described in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-4.1.1
         # 4.1.1. When to include the body hash
         #    *  [...] MUST NOT include an oauth_body_hash parameter on requests with form-encoded request bodies
         #    *  [...] SHOULD include the oauth_body_hash parameter on all other requests.
+        # Note that SHA-1 is vulnerable. The spec acknowledges that in https://tools.ietf.org/html/draft-eaton-oauth-bodyhash-00#section-6.2
+        # At this time, no further effort has been made to replace SHA-1 for the OAuth Request Body Hash extension.
         content_type = request.headers.get('Content-Type', None)
         content_type_eligible = content_type and content_type.find('application/x-www-form-urlencoded') < 0
         if request.body is not None and content_type_eligible:
-- 
cgit v1.2.1