From 1305584d77e1b7ecedb545b92b037a89dd631361 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Tue, 5 Sep 2017 17:12:31 -0700
Subject: [PATCH] avoid a security patch and resultant compatibility issues;
 instead restrict the input characters we accept in token verification strings
 to hex digits. This will all be changing in the coming weeks/months anyway.

---
 include/zot.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/zot.php b/include/zot.php
index 3143fa000..e120755b5 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -133,7 +133,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
 	}
 
 	if ($secret) {
-		$data['secret'] = $secret;
+		$data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
 		$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey']));
 	}