harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

block forgeries

Browse Source
This commit is contained in:
friendica 2013-10-02 02:50:02 -07:00
parent f7aaa2290a
commit de9aee8a07
3 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/deliver.php
View File

@ -26,7 +26,7 @@ function deliver_run($argv, $argc) {
// If there is no outq_msg, this is a refresh_all message which does not require local handling // If there is no outq_msg, this is a refresh_all message which does not require local handling
if($r[0]['outq_msg']) { if($r[0]['outq_msg']) {
$msg = array('body' => json_encode(array('pickup' => array(array('notify' => json_decode($r[0]['outq_notify'],true),'message' => json_decode($r[0]['outq_msg'],true)))))); $msg = array('body' => json_encode(array('pickup' => array(array('notify' => json_decode($r[0]['outq_notify'],true),'message' => json_decode($r[0]['outq_msg'],true))))));
zot_import($msg); zot_import($msg,z_root());
$r = q("delete from outq where outq_hash = '%s' limit 1", $r = q("delete from outq where outq_hash = '%s' limit 1",
dbesc($argv[$x]) dbesc($argv[$x])
); );

21
include/zot.php
View File

@ -801,8 +801,7 @@ function zot_fetch($arr) {
$datatosend = json_encode(aes_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey'])); $datatosend = json_encode(aes_encapsulate(json_encode($data),$ret_hub['hubloc_sitekey']));
$fetch = zot_zot($url,$datatosend); $fetch = zot_zot($url,$datatosend);
$result = zot_import($fetch, $arr['sender']['url']);
$result = zot_import($fetch);
return $result; return $result;
} }
@ -815,7 +814,7 @@ function zot_fetch($arr) {
* The message types handled here are 'activity' (e.g. posts), 'mail' and 'profile' * The message types handled here are 'activity' (e.g. posts), 'mail' and 'profile'
*/ */
function zot_import($arr) { function zot_import($arr, $sender_url) {
$data = json_decode($arr['body'],true); $data = json_decode($arr['body'],true);
@ -842,6 +841,13 @@ function zot_import($arr) {
logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA); logger('zot_import: notify: ' . print_r($i['notify'],true), LOGGER_DATA);
$hub = zot_gethub($i['notify']['sender']);
if((! $hub) || ($hub['hubloc_url'] != $sender_url)) {
logger('zot_import: potential forgery: wrong site for sender: ' . $sender_url . ' != ' . print_r($i['notify'],true));
continue;
}
$i['notify']['sender']['hash'] = base64url_encode(hash('whirlpool',$i['notify']['sender']['guid'] . $i['notify']['sender']['guid_sig'], true)); $i['notify']['sender']['hash'] = base64url_encode(hash('whirlpool',$i['notify']['sender']['guid'] . $i['notify']['sender']['guid_sig'], true));
$deliveries = null; $deliveries = null;
@ -1093,6 +1099,15 @@ function allowed_public_recips($msg) {
function process_delivery($sender,$arr,$deliveries,$relay) { function process_delivery($sender,$arr,$deliveries,$relay) {
$result = array(); $result = array();
// We've validated the sender. Now make sure that the sender is the owner or author
// This needs to be done in each process_xxxx function because the data arrays and conditions will be different.
if($sender['hash'] != $arr['owner_xchan'] && $sender_hash != $arr['author_xchan']) {
logger('process_delivery: sender is not owner or author');
return;
}
foreach($deliveries as $d) { foreach($deliveries as $d) {
$r = q("select * from channel where channel_hash = '%s' limit 1", $r = q("select * from channel where channel_hash = '%s' limit 1",

2
version.inc
View File

@ -1 +1 @@
2013-10-01.453 2013-10-02.454