SECURITY: signature issue

author: zotlabs <mike@macgirvin.com> 2018-10-09 22:37:53 -0700
committer: zotlabs <mike@macgirvin.com> 2018-10-09 22:37:53 -0700
commit: c6f3298f7864756f4a9b7827e8490a3ee859f82f (patch)
tree: 6e59110dee7e48040421e3c4ac5b08688c13ad04 /Zotlabs/Web
parent: 2cb52f88755aac62f208463e4754153bbf249c67 (diff)
download: volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.gz
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.bz2
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index df66ecf5c..ec7bb0d67 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -104,6 +104,21 @@ class HTTPSig {
 			if(strpos($h,'.')) {
 				$spoofable = true;
 			}
+			if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) {
+				logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]);
+				return $result;
+			}
+			if($h === 'date') {
+				$d = new \DateTime($headers[$h]);
+				$d->setTimeZone(new \DateTimeZone('UTC'));
+				$dplus = datetime_convert('UTC','UTC','now + 1 day');
+				$dminus = datetime_convert('UTC','UTC','now - 1 day');
+				$c = $d->format('Y-m-d H:i:s');
+				if($c > $dplus || $c < $dminus) {
+					logger('bad time: ' . $c);
+					return $result;
+				}
+			}
 		}
 		$signed_data = rtrim($signed_data,"\n");
author	zotlabs <mike@macgirvin.com>	2018-10-09 22:37:53 -0700
committer	zotlabs <mike@macgirvin.com>	2018-10-09 22:37:53 -0700
commit	c6f3298f7864756f4a9b7827e8490a3ee859f82f (patch)
tree	6e59110dee7e48040421e3c4ac5b08688c13ad04 /Zotlabs/Web
parent	2cb52f88755aac62f208463e4754153bbf249c67 (diff)
download	volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.gz volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.bz2 volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.zip