diff options
author | friendica <info@friendica.com> | 2013-09-24 05:20:29 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-09-24 05:20:29 -0700 |
commit | d4ea56a77ef408347a9d73b36e8066334b8835ea (patch) | |
tree | 8fd5a50d2c14e93736d33e7a1b5858e94371ad5d | |
parent | 1f916adfb889c877ff975be75274fb7f3ac37b1f (diff) | |
download | volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.gz volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.bz2 volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.zip |
reduce susceptibility to bleichenberger attack
-rwxr-xr-x | boot.php | 1 | ||||
-rwxr-xr-x | include/text.php | 2 | ||||
-rw-r--r-- | mod/post.php | 24 | ||||
-rw-r--r-- | version.inc | 2 |
4 files changed, 21 insertions, 8 deletions
@@ -1176,6 +1176,7 @@ function check_config(&$a) { // our URL changed. Do something. $oldurl = hex2bin($saved); + logger('Baseurl changed!'); $oldhost = substr($oldurl,strpos($oldurl,'//')+2); $host = substr(z_root(),strpos(z_root(),'//')+2); diff --git a/include/text.php b/include/text.php index 40df8bd89..be5e2338d 100755 --- a/include/text.php +++ b/include/text.php @@ -1312,7 +1312,7 @@ function get_plink($item) { $a = get_app(); if (x($item,'plink') && ($item['item_private'] != 1)) { return array( - 'href' => $item['plink'], + 'href' => zid($item['plink']), 'title' => t('link to source'), ); } diff --git a/mod/post.php b/mod/post.php index 378192cbf..0e1884d85 100644 --- a/mod/post.php +++ b/mod/post.php @@ -174,18 +174,30 @@ function post_post(&$a) { if(array_key_exists('iv',$data)) { $data = aes_unencapsulate($data,get_config('system','prvkey')); logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA); - if(! $data) { - $ret['message'] = 'Decryption failed.'; - json_return_and_die($ret); - } + +// susceptible to Bleichenberger attack +// if(! $data) { +// $ret['message'] = 'Decryption failed.'; +// json_return_and_die($ret); +// } $data = json_decode($data,true); } if(! $data) { - $ret['message'] = 'No data received.'; - json_return_and_die($ret); + + // possible Bleichenberger attack, just treat it as a + // message we have no handler for. It should fail a bit + // further along with "no hub". Our public key is public + // knowledge. There's no reason why anybody should get the + // encryption wrong unless they're fishing or hacking. If + // they're developing and made a goof, this can be discovered + // in the logs of the destination site. If they're fishing or + // hacking, the bottom line is we can't verify their hub. + // That's all we're going to tell them. + + $data = array('type' => 'bogus'); } logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA); diff --git a/version.inc b/version.inc index 451a8e715..713343a75 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2013-09-23.445 +2013-09-24.446 |