aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-09-03 17:12:42 -0700
committerzotlabs <mike@macgirvin.com>2017-09-03 17:12:42 -0700
commitdb82d303e217c2ca599a8b740ebb62339d373124 (patch)
tree25b180af20e5c439698e0e803c7b68889e0cb9f8
parent499b7de0d217e5e56819f34dea26cb5d395e2a0b (diff)
downloadvolse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.tar.gz
volse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.tar.bz2
volse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.zip
only validate headers that aren't "spoofable", which will be somewhat implementation dependent.
-rw-r--r--Zotlabs/Web/HTTPSig.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 1f485a881..e9e262125 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -24,8 +24,9 @@ class HTTPSig {
static function verify($data,$key = '') {
- $body = $data;
- $headers = null;
+ $body = $data;
+ $headers = null;
+ $spoofable = false;
$result = [
'signer' => '',
@@ -80,6 +81,9 @@ class HTTPSig {
if(array_key_exists($h,$headers)) {
$signed_data .= $h . ': ' . $headers[$h] . "\n";
}
+ if(strpos($h,'.')) {
+ $spoofable = true;
+ }
}
$signed_data = rtrim($signed_data,"\n");
@@ -101,7 +105,8 @@ class HTTPSig {
if($x === false)
return $result;
- $result['header_valid'] = true;
+ if(! $spoofable)
+ $result['header_valid'] = true;
if(in_array('digest',$signed_headers)) {
$result['content_signed'] = true;