aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-11-29 13:51:54 -0800
committerzotlabs <mike@macgirvin.com>2017-11-29 13:51:54 -0800
commit5abcb8c97813d66b63ca697ca626347a9fd8d95c (patch)
tree0bc8c7011de18a7f83eb777ca2e9a1c923717fb4 /Zotlabs
parent455720ae938126d9a0d3c728beb0a7ba3268a4d0 (diff)
downloadvolse-hubzilla-5abcb8c97813d66b63ca697ca626347a9fd8d95c.tar.gz
volse-hubzilla-5abcb8c97813d66b63ca697ca626347a9fd8d95c.tar.bz2
volse-hubzilla-5abcb8c97813d66b63ca697ca626347a9fd8d95c.zip
use httpsig auth for getfile
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Module/Getfile.php57
1 files changed, 46 insertions, 11 deletions
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
index 413a68e0c..3f84b4050 100644
--- a/Zotlabs/Module/Getfile.php
+++ b/Zotlabs/Module/Getfile.php
@@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller {
function post() {
- logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
-
+ $header_verification = false;
+
$hash = $_POST['hash'];
$time = $_POST['time'];
$sig = $_POST['signature'];
$resource = $_POST['resource'];
$revision = intval($_POST['revision']);
$resolution = (-1);
-
+
if(! $hash)
killme();
+
+ foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+ if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+ if($head !== 'HTTP_AUTHORIZATION') {
+ $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
+ continue;
+ }
+
+ $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+ if($sigblock) {
+ $keyId = $sigblock['keyId'];
+
+ if($keyId) {
+ $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash
+ where hubloc_addr = '%s' limit 1",
+ dbesc(str_replace('acct:','',$keyId))
+ );
+ if($r) {
+ $hubloc = $r[0];
+ $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
+ if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
+ $header_verified = true;
+ }
+ }
+ }
+ }
+ }
+ }
+
+
+ logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
+ if($header_verified) {
+ logger('HTTPSig verified');
+ }
$channel = channelx_by_hash($hash);
@@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller {
$d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
$d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
- if(($time > $d1) || ($time < $d2)) {
- logger('time outside allowable range');
- killme();
- }
+ if(! $header_verified) {
+ if(($time > $d1) || ($time < $d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
- if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
- logger('verify failed.');
- killme();
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
}
-
if($resolution > 0) {
$r = q("select * from photo where resource_id = '%s' and uid = %d limit 1",