harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

require token signatures in zot_refresh, also move channel specific stuff into include/channel.php from include/connections.php

Browse Source
This commit is contained in:
redmatrix
2016-05-24 23:05:00 -07:00
parent 80f2ba640e
commit c37eaff263
5 changed files with 50 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
include/zot.php
View File

@@ -329,8 +329,12 @@ function zot_refresh($them, $channel = null, $force = false) {
return false;
}
$token = random_string();
$postvars = array();
$postvars['token'] = $token;
if($channel) {
$postvars['target'] = $channel['channel_guid'];
$postvars['target_sig'] = $channel['channel_guid_sig'];
@@ -343,11 +347,13 @@ function zot_refresh($them, $channel = null, $force = false) {
$postvars['guid_hash'] = $them['xchan_hash'];
if (array_key_exists('xchan_guid',$them) && $them['xchan_guid']
&& array_key_exists('xchan_guid_sig',$them) && $them['xchan_guid_sig']) {
$postvars['guid'] = $them['xchan_guid'];
$postvars['guid_sig'] = $them['xchan_guid_sig'];
}
$token = random_string();
$rhs = '/.well-known/zot-info';
$result = z_post_url($url . $rhs,$postvars);
@@ -363,6 +369,22 @@ function zot_refresh($them, $channel = null, $force = false) {
return false;
}
$signed_token = ((is_array($j) && array_key_exists('signed_token',$j)) ? $j['signed_token'] : null);
if($signed_token) {
$valid = rsa_verify('token.' . $token,base64url_decode($signed_token),$j['key']);
if(! $valid) {
logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
return false;
}
}
else {
logger('No signed token from ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
// after 2017-01-01 this will be a hard error unless you over-ride it.
if((time() > 1483228800) && (! get_config('system','allow_unsigned_zotfinger'))) {
return false;
}
}
$x = import_xchan($j, (($force) ? UPDATE_FLAGS_FORCED : UPDATE_FLAGS_UPDATED));
if(! $x['success'])
@@ -1493,7 +1515,7 @@ function public_recips($msg) {
/**
* @brief
*
* This is the second part of public_recipes().
* This is the second part of public_recips().
* We'll find all the channels willing to accept public posts from us, then
* match them against the sender privacy scope and see who in that list that
* the sender is allowing.