harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY: signature issue

Browse Source 
(cherry picked from commit c6f3298f78)
This commit is contained in:
zotlabs 2018-10-10 05:37:53 +00:00 committed by Mario
parent 94905a71ac
commit 4e69467b14
4 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Zotlabs/Module/Magic.php
View File

@ -146,12 +146,17 @@ class Magic extends \Zotlabs\Web\Controller {
$dest = strip_zids($dest);
$dest = strip_query_param($dest,'f');
$data = json_encode([ 'OpenWebAuth' => random_string() ]);
$headers = [];
$headers['Accept'] = 'application/x-zot+json' ;
$headers['X-Open-Web-Auth'] = random_string();
$headers['Host'] = $parsed['host'];
$headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false);
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
$x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]);
$x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]);
if($x['success']) {
$j = json_decode($x['body'],true);

2
Zotlabs/Module/Owa.php
View File

@ -45,7 +45,7 @@ class Owa extends \Zotlabs\Web\Controller {
}
if($r) {
foreach($r as $hubloc) {
$verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
$verified = \Zotlabs\Web\HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']);
if($verified && $verified['header_signed'] && $verified['header_valid']) {
logger('OWA header: ' . print_r($verified,true),LOGGER_DATA);
logger('OWA success: ' . $hubloc['hubloc_addr'],LOGGER_DATA);

15
Zotlabs/Web/HTTPSig.php
View File

@ -104,6 +104,21 @@ class HTTPSig {
if(strpos($h,'.')) {
$spoofable = true;
}
if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) {
logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]);
return $result;
}
if($h === 'date') {
$d = new \DateTime($headers[$h]);
$d->setTimeZone(new \DateTimeZone('UTC'));
$dplus = datetime_convert('UTC','UTC','now + 1 day');
$dminus = datetime_convert('UTC','UTC','now - 1 day');
$c = $d->format('Y-m-d H:i:s');
if($c > $dplus || $c < $dminus) {
logger('bad time: ' . $c);
return $result;
}
}
}
$signed_data = rtrim($signed_data,"\n");

7
Zotlabs/Zot/Finger.php
View File

@ -71,6 +71,11 @@ class Finger {
$url = 'https://' . $host;
}
$m = parse_url($url);
if($m) {
$parsed_host = strtolower($m['host']);
}
$rhs = '/.well-known/zot-info';
$https = ((strpos($url,'https://') === 0) ? true : false);
@ -88,6 +93,8 @@ class Finger {
$headers = [];
$headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
$headers['X-Zot-Nonce'] = random_string();
$headers['Host'] = $parsed['host'];
$xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);