From 1f0da3f00f89c14eab8e68d38bd5681d0e139fc0 Mon Sep 17 00:00:00 2001
From: m0thman <ya.m0thman@gmail.com>
Date: Thu, 20 Dec 2012 20:29:37 +0300
Subject: [PATCH] Fix query string escaping

---
 lib/oauth_util.rb       |  2 +-
 test/oauth_util_test.rb | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 test/oauth_util_test.rb

diff --git a/lib/oauth_util.rb b/lib/oauth_util.rb
index a98cb686..ba223d4e 100644
--- a/lib/oauth_util.rb
+++ b/lib/oauth_util.rb
@@ -56,7 +56,7 @@ class OauthUtil
   def query_string
     pairs = []
     @params.sort.each { | key, val | 
-      pairs.push( "#{ percent_encode( key ) }=#{ percent_encode( val.to_s ) }" )
+      pairs.push( "#{ CGI.escape(key.to_s).gsub(/%(5B|5D)/n) { [$1].pack('H*') } }=#{ CGI.escape(val.to_s) }" )
     }
     pairs.join '&'
   end
diff --git a/test/oauth_util_test.rb b/test/oauth_util_test.rb
new file mode 100644
index 00000000..78dea62c
--- /dev/null
+++ b/test/oauth_util_test.rb
@@ -0,0 +1,30 @@
+# encoding: utf-8
+require 'test_helper'
+require 'cgi'
+require 'uri'
+
+class OauthUtilTest < Test::Unit::TestCase
+  def test_query_string_escapes_single_quote
+    base_url = "http://example.com?location=d%27iberville"
+
+    o = OauthUtil.new
+    o.consumer_key = 'consumer_key'
+    o.consumer_secret = 'consumer_secret'
+
+    query_string = o.sign(URI.parse(base_url)).query_string
+
+    assert_match "location=d%27iberville", query_string
+  end
+
+  def test_query_string_sorts_url_keys
+    base_url = "http://example.com?a_param=a&z_param=b&b_param=c&n_param=d"
+
+    o = OauthUtil.new
+    o.consumer_key = 'consumer_key'
+    o.consumer_secret = 'consumer_secret'
+
+    query_string = o.sign(URI.parse(base_url)).query_string
+
+    assert_match /.*a_param=.*b_param=.*n_param=.*z_param=.*/, query_string
+  end
+end
-- 
GitLab