aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-24 05:20:29 -0700
committerfriendica <info@friendica.com>2013-09-24 05:20:29 -0700
commitd4ea56a77ef408347a9d73b36e8066334b8835ea (patch)
tree8fd5a50d2c14e93736d33e7a1b5858e94371ad5d
parent1f916adfb889c877ff975be75274fb7f3ac37b1f (diff)
downloadvolse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.gz
volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.bz2
volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.zip
reduce susceptibility to bleichenberger attack
-rwxr-xr-xboot.php1
-rwxr-xr-xinclude/text.php2
-rw-r--r--mod/post.php24
-rw-r--r--version.inc2
4 files changed, 21 insertions, 8 deletions
diff --git a/boot.php b/boot.php
index 346a0f926..ce7218013 100755
--- a/boot.php
+++ b/boot.php
@@ -1176,6 +1176,7 @@ function check_config(&$a) {
// our URL changed. Do something.
$oldurl = hex2bin($saved);
+ logger('Baseurl changed!');
$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
$host = substr(z_root(),strpos(z_root(),'//')+2);
diff --git a/include/text.php b/include/text.php
index 40df8bd89..be5e2338d 100755
--- a/include/text.php
+++ b/include/text.php
@@ -1312,7 +1312,7 @@ function get_plink($item) {
$a = get_app();
if (x($item,'plink') && ($item['item_private'] != 1)) {
return array(
- 'href' => $item['plink'],
+ 'href' => zid($item['plink']),
'title' => t('link to source'),
);
}
diff --git a/mod/post.php b/mod/post.php
index 378192cbf..0e1884d85 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -174,18 +174,30 @@ function post_post(&$a) {
if(array_key_exists('iv',$data)) {
$data = aes_unencapsulate($data,get_config('system','prvkey'));
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
- if(! $data) {
- $ret['message'] = 'Decryption failed.';
- json_return_and_die($ret);
- }
+
+// susceptible to Bleichenberger attack
+// if(! $data) {
+// $ret['message'] = 'Decryption failed.';
+// json_return_and_die($ret);
+// }
$data = json_decode($data,true);
}
if(! $data) {
- $ret['message'] = 'No data received.';
- json_return_and_die($ret);
+
+ // possible Bleichenberger attack, just treat it as a
+ // message we have no handler for. It should fail a bit
+ // further along with "no hub". Our public key is public
+ // knowledge. There's no reason why anybody should get the
+ // encryption wrong unless they're fishing or hacking. If
+ // they're developing and made a goof, this can be discovered
+ // in the logs of the destination site. If they're fishing or
+ // hacking, the bottom line is we can't verify their hub.
+ // That's all we're going to tell them.
+
+ $data = array('type' => 'bogus');
}
logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);
diff --git a/version.inc b/version.inc
index 451a8e715..713343a75 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2013-09-23.445
+2013-09-24.446