Twitter unescaping oauth_callback value during authorization


#1

Hi Twitter Api Team!

Recently i’ve started getting reports that i’ve tracked down to a change that started breaking the escaping of oauth_callback values used during twitter OAuth (I don’t have a specific timeframe, but the earliest reports of this issue i have are from March 11th).

Previously when authorizing with twitter using the web flow the oauth_callback could successfully include properly escaped ? and & values. After authorization it’s expected for the browser to be redirected using the original oauth_callback, however some values in the oauth_callback are incorrectly unescaped.

To reproduce:

construct a oauth_callback that contains url parameters that have properly escaped ? and & values.

For example, a callback url with a url parameter that has %3F%26 in it.

urllib.quote('http://jehiah.cz/path?with=embeded_values&like=%3F%26this')
'http%3A//jehiah.cz/path%3Fwith%3Dembeded_values%26like%3D%253F%2526this'

The fully constructed authorization request looks like this

https://api.twitter.com/oauth/authorize?oauth_token=...&oauth_callback=http%3A//jehiah.cz/path%3Fwith%3Dembeded_values%26like%3D%253F%2526this

After authorization the twitter should redirect the browser to the original callback_url

http://jehiah.cz/path?with=embeded_values&like=%3F%26this

but instead it’s redirected to the following url which is not equivalent to the original. (note that parameter parsing will be broken because of the excessive unescaping). Twitter should not apply multiple levels of unescaping to reserved url characters (’?’, ‘&’, ‘=’, ‘/’, ‘%’, etc).

http://jehiah.cz/path?with=embeded_values&like=?&this

Is anyone else seeing this issue?