diff options
author | zotlabs <mike@macgirvin.com> | 2017-09-03 17:12:42 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2017-09-03 17:12:42 -0700 |
commit | db82d303e217c2ca599a8b740ebb62339d373124 (patch) | |
tree | 25b180af20e5c439698e0e803c7b68889e0cb9f8 /Zotlabs | |
parent | 499b7de0d217e5e56819f34dea26cb5d395e2a0b (diff) | |
download | volse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.tar.gz volse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.tar.bz2 volse-hubzilla-db82d303e217c2ca599a8b740ebb62339d373124.zip |
only validate headers that aren't "spoofable", which will be somewhat implementation dependent.
Diffstat (limited to 'Zotlabs')
-rw-r--r-- | Zotlabs/Web/HTTPSig.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 1f485a881..e9e262125 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -24,8 +24,9 @@ class HTTPSig { static function verify($data,$key = '') { - $body = $data; - $headers = null; + $body = $data; + $headers = null; + $spoofable = false; $result = [ 'signer' => '', @@ -80,6 +81,9 @@ class HTTPSig { if(array_key_exists($h,$headers)) { $signed_data .= $h . ': ' . $headers[$h] . "\n"; } + if(strpos($h,'.')) { + $spoofable = true; + } } $signed_data = rtrim($signed_data,"\n"); @@ -101,7 +105,8 @@ class HTTPSig { if($x === false) return $result; - $result['header_valid'] = true; + if(! $spoofable) + $result['header_valid'] = true; if(in_array('digest',$signed_headers)) { $result['content_signed'] = true; |