aboutsummaryrefslogtreecommitdiffstats
path: root/include/zot.php
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-09-05 17:12:31 -0700
committerMario Vavti <mario@mariovavti.com>2017-09-06 13:38:33 +0200
commit1305584d77e1b7ecedb545b92b037a89dd631361 (patch)
treec3880d82c7a652134061265937d1097a5e2cbe33 /include/zot.php
parent03b31932d18726b20a60051a0c5e70c3d8dfe287 (diff)
downloadvolse-hubzilla-1305584d77e1b7ecedb545b92b037a89dd631361.tar.gz
volse-hubzilla-1305584d77e1b7ecedb545b92b037a89dd631361.tar.bz2
volse-hubzilla-1305584d77e1b7ecedb545b92b037a89dd631361.zip
avoid a security patch and resultant compatibility issues; instead restrict the input characters we accept in token verification strings to hex digits. This will all be changing in the coming weeks/months anyway.
Diffstat (limited to 'include/zot.php')
-rw-r--r--include/zot.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/zot.php b/include/zot.php
index 3143fa000..e120755b5 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -133,7 +133,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
}
if ($secret) {
- $data['secret'] = $secret;
+ $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey']));
}