aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-10-09 22:37:53 -0700
committerzotlabs <mike@macgirvin.com>2018-10-09 22:37:53 -0700
commitc6f3298f7864756f4a9b7827e8490a3ee859f82f (patch)
tree6e59110dee7e48040421e3c4ac5b08688c13ad04 /Zotlabs/Module
parent2cb52f88755aac62f208463e4754153bbf249c67 (diff)
downloadvolse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.gz
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.bz2
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.zip
SECURITY: signature issue
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Magic.php7
-rw-r--r--Zotlabs/Module/Owa.php2
2 files changed, 7 insertions, 2 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index be6866592..71737eef8 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -146,12 +146,17 @@ class Magic extends \Zotlabs\Web\Controller {
$dest = strip_zids($dest);
$dest = strip_query_param($dest,'f');
+ $data = json_encode([ 'OpenWebAuth' => random_string() ]);
+
$headers = [];
$headers['Accept'] = 'application/x-zot+json' ;
$headers['X-Open-Web-Auth'] = random_string();
+ $headers['Host'] = $parsed['host'];
+ $headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false);
+
$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
- $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]);
+ $x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]);
if($x['success']) {
$j = json_decode($x['body'],true);
diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php
index da26748b3..4a488086f 100644
--- a/Zotlabs/Module/Owa.php
+++ b/Zotlabs/Module/Owa.php
@@ -45,7 +45,7 @@ class Owa extends \Zotlabs\Web\Controller {
}
if($r) {
foreach($r as $hubloc) {
- $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
+ $verified = \Zotlabs\Web\HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']);
if($verified && $verified['header_signed'] && $verified['header_valid']) {
logger('OWA header: ' . print_r($verified,true),LOGGER_DATA);
logger('OWA success: ' . $hubloc['hubloc_addr'],LOGGER_DATA);