aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Zot
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-22 22:44:13 -0700
committerredmatrix <git@macgirvin.com>2016-05-22 22:44:13 -0700
commitbbc71343bdfc724425927ebab404b035c65f569c (patch)
treeee3c193ee84025ef37705a11179c3e986ba6c617 /Zotlabs/Zot
parenta1aa3d906159e4ad563779e5f220dddbfbd744c4 (diff)
downloadvolse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.gz
volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.tar.bz2
volse-hubzilla-bbc71343bdfc724425927ebab404b035c65f569c.zip
change the signed token format. We don't folks to be able to submit random text for signing by us, as they could then use these to generate known signatures.
Diffstat (limited to 'Zotlabs/Zot')
-rw-r--r--Zotlabs/Zot/Finger.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 63fdd4a4c..07798fbb1 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -110,7 +110,7 @@ class Finger {
if($x) {
$signed_token = ((is_array($x) && array_key_exists('signed_token',$x)) ? $x['signed_token'] : null);
if($signed_token) {
- $valid = rsa_verify(self::$token,base64url_decode($signed_token),$x['key']);
+ $valid = rsa_verify('token.' . self::$token,base64url_decode($signed_token),$x['key']);
if(! $valid) {
logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
return $ret;