diff options
author | zotlabs <mike@macgirvin.com> | 2018-10-10 05:37:53 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2018-10-10 13:34:54 +0200 |
commit | 4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7 (patch) | |
tree | 2c91925e298888c619ce1d0a60acced347e8a3f5 /Zotlabs/Module | |
parent | 94905a71ac29de37c6798c933df1a7c55f183c49 (diff) | |
download | volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.gz volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.bz2 volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.zip |
SECURITY: signature issue
(cherry picked from commit c6f3298f7864756f4a9b7827e8490a3ee859f82f)
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r-- | Zotlabs/Module/Magic.php | 7 | ||||
-rw-r--r-- | Zotlabs/Module/Owa.php | 2 |
2 files changed, 7 insertions, 2 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index be6866592..71737eef8 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -146,12 +146,17 @@ class Magic extends \Zotlabs\Web\Controller { $dest = strip_zids($dest); $dest = strip_query_param($dest,'f'); + $data = json_encode([ 'OpenWebAuth' => random_string() ]); + $headers = []; $headers['Accept'] = 'application/x-zot+json' ; $headers['X-Open-Web-Auth'] = random_string(); + $headers['Host'] = $parsed['host']; + $headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); - $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + $x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]); if($x['success']) { $j = json_decode($x['body'],true); diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php index da26748b3..4a488086f 100644 --- a/Zotlabs/Module/Owa.php +++ b/Zotlabs/Module/Owa.php @@ -45,7 +45,7 @@ class Owa extends \Zotlabs\Web\Controller { } if($r) { foreach($r as $hubloc) { - $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); + $verified = \Zotlabs\Web\HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']); if($verified && $verified['header_signed'] && $verified['header_valid']) { logger('OWA header: ' . print_r($verified,true),LOGGER_DATA); logger('OWA success: ' . $hubloc['hubloc_addr'],LOGGER_DATA); |