In authentication.py initialize_server_request() the request parameters are not properly handled.
First, parameters in a POST request should only be passed to OAuthRequest if Content-Type == application/x-www-form-urlencoded.
Second, the conditional logic at the top of the method creates a variable called params, that is never used. Instead request.REQUEST.items() is passed to the OAuthRequest constructor. This is very BAD!!!
It causes POST requests that have multipart/form-data to not be validated correctly. Not to mention everything blows up if you're trying to upload a file!
The fix is to uncomment the check for application/x-www-form-urlencoded, and pass the variable params into the OAuthRequest constructor.