diff options
| author | zotlabs <mike@macgirvin.com> | 2016-12-26 13:10:24 -0800 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2016-12-26 13:10:24 -0800 |
| commit | b530d1d44981df955842f4f572676db83d18084e (patch) | |
| tree | 52464bc1155a964cb9443c83ebcc262782ce36a9 /include/hubloc.php | |
| parent | 56219f9f61a32e5733a8c6315637bfae13e38fc0 (diff) | |
| download | volse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.tar.gz volse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.tar.bz2 volse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.zip | |
perform input validation on xchan_store and re-enable the post method of the xchan api endpoint.
Diffstat (limited to 'include/hubloc.php')
| -rw-r--r-- | include/hubloc.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/include/hubloc.php b/include/hubloc.php index 17f921f67..6f81ea31f 100644 --- a/include/hubloc.php +++ b/include/hubloc.php @@ -200,6 +200,14 @@ function xchan_store($arr) { if(! $arr['photo']) $arr['photo'] = z_root() . '/' . get_default_profile_photo(); + + if($arr['network'] === 'zot') { + if((! $arr['key']) || (! rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key']))) { + logger('Unable to verify signature for ' . $arr['hash']); + return false; + } + } + $r = q("insert into xchan ( xchan_hash, xchan_guid, xchan_guid_sig, xchan_pubkey, xchan_addr, xchan_url, xchan_connurl, xchan_follow, xchan_connpage, xchan_name, xchan_network, xchan_instance_url, xchan_hidden, xchan_orphan, xchan_censored, xchan_selfcensored, xchan_system, xchan_pubforum, xchan_deleted, xchan_name_date ) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s','%s','%s','%s',%d, %d, %d, %d, %d, %d, %d, '%s') ", dbesc($arr['hash']), dbesc($arr['guid']), |