aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Web/HTTPSig.php
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-10-10 05:37:53 +0000
committerMario <mario@mariovavti.com>2018-10-10 13:34:54 +0200
commit4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7 (patch)
tree2c91925e298888c619ce1d0a60acced347e8a3f5 /Zotlabs/Web/HTTPSig.php
parent94905a71ac29de37c6798c933df1a7c55f183c49 (diff)
downloadvolse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.gz
volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.bz2
volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.zip
SECURITY: signature issue
(cherry picked from commit c6f3298f7864756f4a9b7827e8490a3ee859f82f)
Diffstat (limited to 'Zotlabs/Web/HTTPSig.php')
-rw-r--r--Zotlabs/Web/HTTPSig.php15
1 files changed, 15 insertions, 0 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index df66ecf5c..ec7bb0d67 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -104,6 +104,21 @@ class HTTPSig {
if(strpos($h,'.')) {
$spoofable = true;
}
+ if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) {
+ logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]);
+ return $result;
+ }
+ if($h === 'date') {
+ $d = new \DateTime($headers[$h]);
+ $d->setTimeZone(new \DateTimeZone('UTC'));
+ $dplus = datetime_convert('UTC','UTC','now + 1 day');
+ $dminus = datetime_convert('UTC','UTC','now - 1 day');
+ $c = $d->format('Y-m-d H:i:s');
+ if($c > $dplus || $c < $dminus) {
+ logger('bad time: ' . $c);
+ return $result;
+ }
+ }
}
$signed_data = rtrim($signed_data,"\n");