perform input validation on xchan_store and re-enable the post method of the xchan api endpoint.

include/api_zot.php

@@ -335,7 +335,7 @@
 		require_once('include/hubloc.php');
 
 		if($_SERVER['REQUEST_METHOD'] === 'POST') {			
-			// $r = xchan_store($_REQUEST);
+			$r = xchan_store($_REQUEST);
 		}
 		$r = xchan_fetch($_REQUEST);
 		json_return_and_die($r);

include/hubloc.php

@@ -200,6 +200,14 @@ function xchan_store($arr) {
 	if(! $arr['photo'])
 		$arr['photo'] = z_root() . '/' . get_default_profile_photo();
 
+
+	if($arr['network'] === 'zot') {
+		if((! $arr['key']) || (! rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key']))) {
+			logger('Unable to verify signature for ' . $arr['hash']);
+			return false;
+		}
+	}
+
 	$r = q("insert into xchan ( xchan_hash, xchan_guid, xchan_guid_sig, xchan_pubkey, xchan_addr, xchan_url, xchan_connurl, xchan_follow, xchan_connpage, xchan_name, xchan_network, xchan_instance_url, xchan_hidden, xchan_orphan, xchan_censored, xchan_selfcensored, xchan_system, xchan_pubforum, xchan_deleted, xchan_name_date ) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s','%s','%s','%s',%d, %d, %d, %d, %d, %d, %d, '%s') ",
 		dbesc($arr['hash']),
 		dbesc($arr['guid']),