avoid a security patch and resultant compatibility issues; instead restrict the input characters we accept in token verification strings to hex digits. This will all be changing in the coming weeks/months anyway.

2017-09-05 17:12:31 -07:00 · 2017-09-05 17:12:31 -07:00 · 1305584d77
commit 1305584d77
parent 03b31932d1
1 changed files with 1 additions and 1 deletions
--- a/include/zot.php
+++ b/include/zot.php
@ -133,7 +133,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
 	}

 	if ($secret) {
-		$data['secret'] = $secret;
+		$data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
 		$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey']));
 	}