set_form_data() does not escape "*" (asterisk) in POST body data

[jfhbrook]

When trying to send a tweet with an asterisk in it, twurl responds with a "Could not authenticate you." message.

Expected behavior

When I run twurl -X POST -d "status=*tweet*" /1.1/statuses/update.json, it successfully tweets, or complains that the post body is malformed (though I couldn't find anything about asterisks in post bodies being bad...).

Actual behavior

twurl responds with a "Could not authenticate you" message:

{
  "errors": [
    {
      "code": 32,
      "message": "Could not authenticate you."
    }
  ]
}

As concisely as possible, describe the observed behavior.

Steps to reproduce the behavior

• Authenticate with twurl
• Try to send a status with an asterisk in it

[smaeda-ks]

This seems like an issue with the Net::HTTPHeader module. We use set_form_data() at here:
https://github.com/twitter/twurl/blob/master/lib/twurl/oauth_client.rb#L113-L115

but maybe it's not escaping * properly and resulting in a signature mismatch. I had a workaround that can remediate this (will open a PR) but you can also use query parameters instead.

$ twurl -X POST '/1.1/statuses/update.json?status=*tweet*'

This should work as expected.

[smaeda-ks]

@jfhbrook Confirmed, set_form_data() does not escape *.
https://github.com/ruby/ruby/blob/v2_6_5/lib/uri/common.rb#L357-L379

* set_form_data() calls URI.encode_www_form(), and URI.encode_www_form() calls encode_www_form_component()

[smaeda-ks]

The fix is merged into master.

[smaeda-ks]

https://github.com/twitter/twurl/releases/tag/v0.9.4

Closing. Again, thanks for your report @jfhbrook !