reduce susceptibility to bleichenberger attack
This commit is contained in:
parent
1f916adfb8
commit
d4ea56a77e
1
boot.php
1
boot.php
@ -1176,6 +1176,7 @@ function check_config(&$a) {
|
|||||||
// our URL changed. Do something.
|
// our URL changed. Do something.
|
||||||
|
|
||||||
$oldurl = hex2bin($saved);
|
$oldurl = hex2bin($saved);
|
||||||
|
logger('Baseurl changed!');
|
||||||
|
|
||||||
$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
|
$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
|
||||||
$host = substr(z_root(),strpos(z_root(),'//')+2);
|
$host = substr(z_root(),strpos(z_root(),'//')+2);
|
||||||
|
@ -1312,7 +1312,7 @@ function get_plink($item) {
|
|||||||
$a = get_app();
|
$a = get_app();
|
||||||
if (x($item,'plink') && ($item['item_private'] != 1)) {
|
if (x($item,'plink') && ($item['item_private'] != 1)) {
|
||||||
return array(
|
return array(
|
||||||
'href' => $item['plink'],
|
'href' => zid($item['plink']),
|
||||||
'title' => t('link to source'),
|
'title' => t('link to source'),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
24
mod/post.php
24
mod/post.php
@ -174,18 +174,30 @@ function post_post(&$a) {
|
|||||||
if(array_key_exists('iv',$data)) {
|
if(array_key_exists('iv',$data)) {
|
||||||
$data = aes_unencapsulate($data,get_config('system','prvkey'));
|
$data = aes_unencapsulate($data,get_config('system','prvkey'));
|
||||||
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
|
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
|
||||||
if(! $data) {
|
|
||||||
$ret['message'] = 'Decryption failed.';
|
// susceptible to Bleichenberger attack
|
||||||
json_return_and_die($ret);
|
// if(! $data) {
|
||||||
}
|
// $ret['message'] = 'Decryption failed.';
|
||||||
|
// json_return_and_die($ret);
|
||||||
|
// }
|
||||||
|
|
||||||
$data = json_decode($data,true);
|
$data = json_decode($data,true);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if(! $data) {
|
if(! $data) {
|
||||||
$ret['message'] = 'No data received.';
|
|
||||||
json_return_and_die($ret);
|
// possible Bleichenberger attack, just treat it as a
|
||||||
|
// message we have no handler for. It should fail a bit
|
||||||
|
// further along with "no hub". Our public key is public
|
||||||
|
// knowledge. There's no reason why anybody should get the
|
||||||
|
// encryption wrong unless they're fishing or hacking. If
|
||||||
|
// they're developing and made a goof, this can be discovered
|
||||||
|
// in the logs of the destination site. If they're fishing or
|
||||||
|
// hacking, the bottom line is we can't verify their hub.
|
||||||
|
// That's all we're going to tell them.
|
||||||
|
|
||||||
|
$data = array('type' => 'bogus');
|
||||||
}
|
}
|
||||||
|
|
||||||
logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);
|
logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);
|
||||||
|
@ -1 +1 @@
|
|||||||
2013-09-23.445
|
2013-09-24.446
|
||||||
|
Reference in New Issue
Block a user