aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-10-12 04:28:47 +0000
committerMario <mario@mariovavti.com>2018-10-12 10:56:28 +0200
commitf7834547744d232091b966b24b9d2e95bda97681 (patch)
tree79353945d8b1d9dd093def2eee9f0a7d448c78de
parent2ab6e0843d199df5611072725bcabf76a518f9e9 (diff)
downloadvolse-hubzilla-f7834547744d232091b966b24b9d2e95bda97681.tar.gz
volse-hubzilla-f7834547744d232091b966b24b9d2e95bda97681.tar.bz2
volse-hubzilla-f7834547744d232091b966b24b9d2e95bda97681.zip
verify some edge case http signatures
(cherry picked from commit c6bfd5e7befedf79ab6f7e70902e5fb2aa69fa6f)
-rw-r--r--Zotlabs/Web/HTTPSig.php6
-rw-r--r--include/network.php24
2 files changed, 26 insertions, 4 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index ec7bb0d67..f27aa0556 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -52,6 +52,7 @@ class HTTPSig {
$h = new \Zotlabs\Web\HTTPHeaders($data['header']);
$headers = $h->fetcharr();
$body = $data['body'];
+ $headers['(request-target)'] = $data['request_target'];
}
else {
@@ -60,6 +61,7 @@ class HTTPSig {
strtolower($_SERVER['REQUEST_METHOD']) . ' ' .
$_SERVER['REQUEST_URI'];
$headers['content-type'] = $_SERVER['CONTENT_TYPE'];
+ $headers['content-length'] = $_SERVER['CONTENT_LENGTH'];
foreach($_SERVER as $k => $v) {
if(strpos($k,'HTTP_') === 0) {
@@ -104,10 +106,6 @@ class HTTPSig {
if(strpos($h,'.')) {
$spoofable = true;
}
- if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) {
- logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]);
- return $result;
- }
if($h === 'date') {
$d = new \DateTime($headers[$h]);
$d->setTimeZone(new \DateTimeZone('UTC'));
diff --git a/include/network.php b/include/network.php
index 5ae02deff..4c9813768 100644
--- a/include/network.php
+++ b/include/network.php
@@ -48,6 +48,10 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
if(($redirects > 8) || (! $ch))
return $ret;
+ if(! array_key_exists('request_target',$opts)) {
+ $opts['request_target'] = 'get ' . get_request_string($url);
+ }
+
@curl_setopt($ch, CURLOPT_HEADER, true);
@curl_setopt($ch, CURLINFO_HEADER_OUT, true);
@curl_setopt($ch, CURLOPT_CAINFO, get_capath());
@@ -179,6 +183,7 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) {
}
$ret['body'] = substr($s,strlen($header));
$ret['header'] = $header;
+ $ret['request_target'] = $opts['request_target'];
if(x($opts,'debug')) {
$ret['debug'] = $curl_info;
@@ -227,6 +232,10 @@ function z_post_url($url, $params, $redirects = 0, $opts = array()) {
if(($redirects > 8) || (! $ch))
return $ret;
+ if(! array_key_exists('request_target',$opts)) {
+ $opts['request_target'] = 'get ' . get_request_string($url);
+ }
+
@curl_setopt($ch, CURLOPT_HEADER, true);
@curl_setopt($ch, CURLINFO_HEADER_OUT, true);
@curl_setopt($ch, CURLOPT_CAINFO, get_capath());
@@ -359,6 +368,7 @@ function z_post_url($url, $params, $redirects = 0, $opts = array()) {
$ret['body'] = substr($s, strlen($header));
$ret['header'] = $header;
+ $ret['request_target'] = $opts['request_target'];
if(x($opts,'debug')) {
$ret['debug'] = $curl_info;
@@ -2080,3 +2090,17 @@ function jsonld_document_loader($url) {
return [];
}
+
+/**
+ * @brief Given a URL, return everything after the host portion.
+ * example https://foobar.com/gravy?g=5&y=6
+ * returns /gravy?g=5&y=6
+ * result always returns the leading slash
+ */
+
+function get_request_string($url) {
+
+ $a = explode('/',$url,4);
+ return '/' . ((count($a) > 3) ? $a[3] : EMPTY_STR);
+
+}