harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

only validate headers that aren't "spoofable", which will be somewhat implementation dependent.

Browse Source
This commit is contained in:
zotlabs 2017-09-03 17:12:42 -07:00
parent 499b7de0d2
commit db82d303e2
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Zotlabs/Web/HTTPSig.php
View File

@ -26,6 +26,7 @@ class HTTPSig {
$body = $data; $body = $data;
$headers = null; $headers = null;
$spoofable = false;
$result = [ $result = [
'signer' => '', 'signer' => '',
@ -80,6 +81,9 @@ class HTTPSig {
if(array_key_exists($h,$headers)) { if(array_key_exists($h,$headers)) {
$signed_data .= $h . ': ' . $headers[$h] . "\n"; $signed_data .= $h . ': ' . $headers[$h] . "\n";
} }
if(strpos($h,'.')) {
$spoofable = true;
}
} }
$signed_data = rtrim($signed_data,"\n"); $signed_data = rtrim($signed_data,"\n");
@ -101,6 +105,7 @@ class HTTPSig {
if($x === false) if($x === false)
return $result; return $result;
if(! $spoofable)
$result['header_valid'] = true; $result['header_valid'] = true;
if(in_array('digest',$signed_headers)) { if(in_array('digest',$signed_headers)) {