Merge branch 'master' of https://github.com/facebook/facebook-php-sdk

Author: moisadoru

.gitignore

@@ -2,3 +2,5 @@
 vendor/
 composer.lock
 composer.phar
+.DS_Store
+.idea/

readme.md

@@ -39,6 +39,14 @@ if ($user) {
 }
 ```
 
+You can make api calls by choosing the `HTTP method` and setting optional `parameters`:
+```php
+$facebook->api('/me/feed/', 'post', array(
+	'message' => 'I want to display this message on my wall'
+));
+```
+
+
 Login or logout url will be needed depending on current user state.
 ```php
 if ($user) {

src/base_facebook.php

@@ -123,7 +123,7 @@ abstract class BaseFacebook
   /**
    * Version.
    */
-  const VERSION = '3.2.2';
+  const VERSION = '3.2.3';
 
   /**
    * Signed Request Algorithm.
@@ -215,13 +215,23 @@ abstract class BaseFacebook
    */
   protected $trustForwarded = false;
 
+  /**
+   * Indicates if signed_request is allowed in query parameters.
+   *
+   * @var boolean
+   */
+  protected $allowSignedRequest = true;
+
   /**
    * Initialize a Facebook Application.
    *
    * The configuration:
    * - appId: the application ID
    * - secret: the application secret
    * - fileUpload: (optional) boolean indicating if file uploads are enabled
+   * - allowSignedRequest: (optional) boolean indicating if signed_request is
+   *                       allowed in query parameters or POST body.  Should be
+   *                       false for non-canvas apps.  Defaults to true.
    *
    * @param array $config The application configuration
    */
@@ -234,6 +244,10 @@ public function __construct($config) {
     if (isset($config['trustForwarded']) && $config['trustForwarded']) {
       $this->trustForwarded = true;
     }
+    if (isset($config['allowSignedRequest'])
+        && !$config['allowSignedRequest']) {
+        $this->allowSignedRequest = false;
+    }
     $state = $this->getPersistentData('state');
     if (!empty($state)) {
       $this->state = $state;
@@ -490,9 +504,10 @@ protected function getUserAccessToken() {
    */
   public function getSignedRequest() {
     if (!$this->signedRequest) {
-      if (!empty($_REQUEST['signed_request'])) {
+      if ($this->allowSignedRequest && !empty($_REQUEST['signed_request'])) {
         $this->signedRequest = $this->parseSignedRequest(
-          $_REQUEST['signed_request']);
+          $_REQUEST['signed_request']
+        );
       } else if (!empty($_COOKIE[$this->getSignedRequestCookieName()])) {
         $this->signedRequest = $this->parseSignedRequest(
           $_COOKIE[$this->getSignedRequestCookieName()]);
@@ -1025,12 +1040,23 @@ protected function parseSignedRequest($signed_request) {
     // check sig
     $expected_sig = hash_hmac('sha256', $payload,
                               $this->getAppSecret(), $raw = true);
-    if ($sig !== $expected_sig) {
+
+    if (strlen($expected_sig) !== strlen($sig)) {
       self::errorLog('Bad Signed JSON signature!');
       return null;
     }
 
-    return $data;
+    $result = 0;
+    for ($i = 0; $i < strlen($expected_sig); $i++) {
+      $result |= ord($expected_sig[$i]) ^ ord($sig[$i]);
+    }
+
+    if ($result == 0) {
+      return $data;
+    } else {
+      self::errorLog('Bad Signed JSON signature!');
+      return null;
+    }
   }
 
   /**
@@ -1249,7 +1275,8 @@ protected function getCurrentUrl() {
    */
   protected function shouldRetainParam($param) {
     foreach (self::$DROP_QUERY_PARAMS as $drop_query_param) {
-      if (strpos($param, $drop_query_param.'=') === 0) {
+      if ($param === $drop_query_param ||
+          strpos($param, $drop_query_param.'=') === 0) {
         return false;
       }
     }

tests/tests.php

@@ -375,7 +375,20 @@ public function testGetUserFromSignedRequest() {
                         'Failed to get user ID from a valid signed request.');
   }
 
-  public function testSignedRequestRewrite(){
+  public function testDisallowSignedRequest() {
+    $facebook = new TransientFacebook(array(
+      'appId'  => self::APP_ID,
+      'secret' => self::SECRET,
+      'allowSignedRequest' => false
+    ));
+
+    $_REQUEST['signed_request'] = self::kValidSignedRequest();
+    $this->assertEquals(0, $facebook->getUser(),
+        'Should not have received valid user from signed_request.');
+  }
+
+
+    public function testSignedRequestRewrite(){
     $facebook = new FBRewrite(array(
       'appId'  => self::APP_ID,
       'secret' => self::SECRET,