SECURITY: signature issue

(cherry picked from commit c6f3298f7864756f4a9b7827e8490a3ee859f82f)
author: zotlabs <mike@macgirvin.com> 2018-10-10 05:37:53 +0000
committer: Mario <mario@mariovavti.com> 2018-10-10 13:34:54 +0200
commit: 4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7 (patch)
tree: 2c91925e298888c619ce1d0a60acced347e8a3f5 /Zotlabs/Zot
parent: 94905a71ac29de37c6798c933df1a7c55f183c49 (diff)
download: volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.gz
volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.bz2
volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 559f9657a..1d20f5822 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -71,6 +71,11 @@ class Finger {
 			$url = 'https://' . $host;
 		}
 
+		$m = parse_url($url);
+		if($m) {
+			$parsed_host = strtolower($m['host']);
+		}
+
 		$rhs = '/.well-known/zot-info';
 		$https = ((strpos($url,'https://') === 0) ? true : false);
 
@@ -88,6 +93,8 @@ class Finger {
 			$headers = [];
 			$headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname();
 			$headers['X-Zot-Nonce']   = random_string();
+			$headers['Host']          = $parsed['host'];
+
 			$xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
 				'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false);
author	zotlabs <mike@macgirvin.com>	2018-10-10 05:37:53 +0000
committer	Mario <mario@mariovavti.com>	2018-10-10 13:34:54 +0200
commit	4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7 (patch)
tree	2c91925e298888c619ce1d0a60acced347e8a3f5 /Zotlabs/Zot
parent	94905a71ac29de37c6798c933df1a7c55f183c49 (diff)
download	volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.gz volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.tar.bz2 volse-hubzilla-4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7.zip