aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Zot/Finger.php
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-10-09 22:37:53 -0700
committerzotlabs <mike@macgirvin.com>2018-10-09 22:37:53 -0700
commitc6f3298f7864756f4a9b7827e8490a3ee859f82f (patch)
tree6e59110dee7e48040421e3c4ac5b08688c13ad04 /Zotlabs/Zot/Finger.php
parent2cb52f88755aac62f208463e4754153bbf249c67 (diff)
downloadvolse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.gz
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.tar.bz2
volse-hubzilla-c6f3298f7864756f4a9b7827e8490a3ee859f82f.zip
SECURITY: signature issue
Diffstat (limited to 'Zotlabs/Zot/Finger.php')
-rw-r--r--Zotlabs/Zot/Finger.php7
1 files changed, 7 insertions, 0 deletions
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 559f9657a..1d20f5822 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -71,6 +71,11 @@ class Finger {
$url = 'https://' . $host;
}
+ $m = parse_url($url);
+ if($m) {
+ $parsed_host = strtolower($m['host']);
+ }
+
$rhs = '/.well-known/zot-info';
$https = ((strpos($url,'https://') === 0) ? true : false);
@@ -88,6 +93,8 @@ class Finger {
$headers = [];
$headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
$headers['X-Zot-Nonce'] = random_string();
+ $headers['Host'] = $parsed['host'];
+
$xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);