From f6036f3dd8d543eed635c5cc5df63689cb77246d Mon Sep 17 00:00:00 2001
From: Alex Cartwright <alex@openzula.org>
Date: Thu, 21 May 2015 12:12:50 +0100
Subject: [PATCH] Ensure OAuth1 signature is created as per the spec

---
 lib/class-wp-json-authentication-oauth1.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/class-wp-json-authentication-oauth1.php b/lib/class-wp-json-authentication-oauth1.php
index 3a0612f..7f08ccc 100644
--- a/lib/class-wp-json-authentication-oauth1.php
+++ b/lib/class-wp-json-authentication-oauth1.php
@@ -551,7 +551,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 
 		$params = array_merge( $params, $oauth_params );
 
-		$base_request_uri = rawurlencode( get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) ) );
+		$base_request_uri = get_home_url( null, parse_url( $_SERVER['REQUEST_URI'], PHP_URL_PATH ) );
 
 		// get the signature provided by the consumer and remove it from the parameters prior to checking the signature
 		$consumer_signature = rawurldecode( $params['oauth_signature'] );
@@ -567,7 +567,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 		$query_string = $this->create_signature_string( $params );
 
 		$token = (array) $token;
-		$string_to_sign = $http_method . '&' . $base_request_uri . '&' . $query_string;
+		$string_to_sign = $http_method . '&' . rawurlencode( $base_request_uri ) . '&' . rawurlencode( $query_string );
 		$key_parts = array(
 			$consumer->secret,
 			( $token ? $token['secret'] : '' )
@@ -604,7 +604,7 @@ protected function check_oauth_signature( $consumer, $oauth_params, $token = nul
 	 * @return string         Signature string
 	 */
 	public function create_signature_string( $params ) {
-		return implode( '%26', $this->join_with_equals_sign( $params ) ); // join with ampersand
+		return implode( '&', $this->join_with_equals_sign( $params ) ); // join with ampersand
 	}
 
 	/**
@@ -624,8 +624,8 @@ public function join_with_equals_sign( $params, $query_params = array(), $key =
 				if ( $key ) {
 					$param_key = $key . '[' . $param_key . ']'; // Handle multi-dimensional array
 				}
-				$string = $param_key . '=' . $param_value; // join with equals sign
-				$query_params[] = urlencode( $string );
+				$string = rawurlencode( $param_key ) . '=' . rawurlencode( $param_value ); // join with equals sign
+				$query_params[] = $string;
 			}
 		}
 		return $query_params;