diff options
| author | friendica <info@friendica.com> | 2012-11-02 16:25:59 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2012-11-02 16:25:59 -0700 |
| commit | a47a1d5eb9d8e28a646540c5d19e05ffe35774cc (patch) | |
| tree | 55d8e2802a8a477a4d324a6dcbaa509b744e4dcb | |
| parent | aca2e3b52ae44b5abe2681bc03351feb150e47ef (diff) | |
| download | volse-hubzilla-a47a1d5eb9d8e28a646540c5d19e05ffe35774cc.tar.gz volse-hubzilla-a47a1d5eb9d8e28a646540c5d19e05ffe35774cc.tar.bz2 volse-hubzilla-a47a1d5eb9d8e28a646540c5d19e05ffe35774cc.zip | |
secure permission discovery
| -rw-r--r-- | include/follow.php | 15 | ||||
| -rw-r--r-- | mod/zfinger.php | 4 |
2 files changed, 17 insertions, 2 deletions
diff --git a/include/follow.php b/include/follow.php index 2b65e389e..b3591b8ba 100644 --- a/include/follow.php +++ b/include/follow.php @@ -80,7 +80,20 @@ function new_contact($uid,$url,$channel,$interactive = false) { $global_perms = get_perms(); - foreach($j->permissions as $k => $v) { + if($j->permissions->data) { + $permissions = aes_unencapsulate(array( + 'data' => $j->permissions->data, + 'key' => $j->permissions->key, + 'iv' => $j->permissions->iv), + $channel['channel_prvkey']); + if($permissions) + $permissions = json_decode($permissions); + logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA); + } + else + $permissions = $j->permissions; + + foreach($permissions as $k => $v) { if($v) { $their_perms = $their_perms | intval($global_perms[$k][1]); } diff --git a/mod/zfinger.php b/mod/zfinger.php index 5567f85cf..80411d16c 100644 --- a/mod/zfinger.php +++ b/mod/zfinger.php @@ -78,10 +78,12 @@ function zfinger_init(&$a) { // FIXME encrypt permissions when targeted so that only the target can view them, requires sending the pubkey and also checking that the target_sig is signed with that pubkey and isn't a forgery. - $ret['permissions'] = get_all_perms($e['channel_id'],(($ztarget && $zsig) + + $permissions = get_all_perms($e['channel_id'],(($ztarget && $zsig) ? base64url_encode(hash('whirlpool',$ztarget . $zsig,true)) : '' ),false); + $ret['permissions'] = (($ztarget) ? aes_encapsulate(json_encode($permissions),$zkey) : $permissions); // $ret['profile'] = $profile; |