aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-09-03 23:50:18 -0700
committerzotlabs <mike@macgirvin.com>2017-09-03 23:50:18 -0700
commitfc62f07a089daf698953e6e4197668fbf8aebef9 (patch)
tree3e6a0b53dc61008b336497eb16a693b8670b6004 /Zotlabs
parent3d0a7f4fc5eacbafa08f49118dc7e54927b4fbed (diff)
downloadvolse-hubzilla-fc62f07a089daf698953e6e4197668fbf8aebef9.tar.gz
volse-hubzilla-fc62f07a089daf698953e6e4197668fbf8aebef9.tar.bz2
volse-hubzilla-fc62f07a089daf698953e6e4197668fbf8aebef9.zip
validate the security context
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Module/Magic.php6
-rw-r--r--Zotlabs/Zot/Auth.php7
2 files changed, 10 insertions, 3 deletions
diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index 9ee5f9324..bf3198067 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -133,10 +133,10 @@ class Magic extends \Zotlabs\Web\Controller {
$channel = \App::get_channel();
$token = random_string();
- $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
+// $token_sig = base64url_encode(rsa_sign($token,$channel['channel_prvkey']));
- $channel['token'] = $token;
- $channel['token_sig'] = $token_sig;
+// $channel['token'] = $token;
+// $channel['token_sig'] = $token_sig;
\Zotlabs\Zot\Verify::create('auth',$channel['channel_id'],$token,$x[0]['hubloc_url']);
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php
index 92b0fff78..afb7b1535 100644
--- a/Zotlabs/Zot/Auth.php
+++ b/Zotlabs/Zot/Auth.php
@@ -43,6 +43,12 @@ class Auth {
$this->Finalise();
}
+ if(strpbrk($this->sec,'.:')) {
+ logger('illegal security context');
+ $this->Debug('illegal security context.');
+ $this->Finalise();
+ }
+
$x = $this->GetHublocs($this->address);
if($x) {
@@ -153,6 +159,7 @@ class Auth {
dbesc($hubloc['hubloc_url'])
);
+ // needs a nonce!!!!
$p = zot_build_packet($channel,$type = 'auth_check',
array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);