harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SECURITY: signature issue

Browse Source
This commit is contained in:
zotlabs
2018-10-09 22:37:53 -07:00
parent 2cb52f8875
commit c6f3298f78
4 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
Zotlabs/Web/HTTPSig.php
View File

@@ -104,6 +104,21 @@ class HTTPSig {
if(strpos($h,'.')) {
$spoofable = true;
}
if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) {
logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]);
return $result;
}
if($h === 'date') {
$d = new \DateTime($headers[$h]);
$d->setTimeZone(new \DateTimeZone('UTC'));
$dplus = datetime_convert('UTC','UTC','now + 1 day');
$dminus = datetime_convert('UTC','UTC','now - 1 day');
$c = $d->format('Y-m-d H:i:s');
if($c > $dplus || $c < $dminus) {
logger('bad time: ' . $c);
return $result;
}
}
}
$signed_data = rtrim($signed_data,"\n");