set_form_data() does not escape "*" (asterisk) in POST body data
jfhbrook opened this issue · comments
When trying to send a tweet with an asterisk in it, twurl responds with a "Could not authenticate you." message.
Expected behavior
When I run twurl -X POST -d "status=*tweet*" /1.1/statuses/update.json, it successfully tweets, or complains that the post body is malformed (though I couldn't find anything about asterisks in post bodies being bad...).
Actual behavior
twurl responds with a "Could not authenticate you" message:
{
"errors": [
{
"code": 32,
"message": "Could not authenticate you."
}
]
}
As concisely as possible, describe the observed behavior.
Steps to reproduce the behavior
- Authenticate with twurl
- Try to send a status with an asterisk in it
This seems like an issue with the Net::HTTPHeader module. We use set_form_data() at here:
https://github.com/twitter/twurl/blob/master/lib/twurl/oauth_client.rb#L113-L115
but maybe it's not escaping * properly and resulting in a signature mismatch. I had a workaround that can remediate this (will open a PR) but you can also use query parameters instead.
$ twurl -X POST '/1.1/statuses/update.json?status=*tweet*'
This should work as expected.
@jfhbrook Confirmed, set_form_data() does not escape *.
https://github.com/ruby/ruby/blob/v2_6_5/lib/uri/common.rb#L357-L379
* set_form_data() calls URI.encode_www_form(), and URI.encode_www_form() calls encode_www_form_component()
The fix is merged into master.
https://github.com/twitter/twurl/releases/tag/v0.9.4
Closing. Again, thanks for your report @jfhbrook !