aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-09-05 17:12:31 -0700
committerzotlabs <mike@macgirvin.com>2017-09-05 17:12:31 -0700
commit6147f819ce908d7a52f905658e827c48aad92074 (patch)
tree5b1374914c359eab184ea6812778a67036e9f218 /include
parent842a041a888434df7d6312db08ce805c5ee21bf7 (diff)
downloadvolse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.tar.gz
volse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.tar.bz2
volse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.zip
avoid a security patch and resultant compatibility issues; instead restrict the input characters we accept in token verification strings to hex digits. This will all be changing in the coming weeks/months anyway.
Diffstat (limited to 'include')
-rw-r--r--include/zot.php3
1 files changed, 1 insertions, 2 deletions
diff --git a/include/zot.php b/include/zot.php
index 56bd7d212..cb213eff3 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -137,7 +137,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
}
if ($secret) {
- $data['secret'] = $secret;
+ $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method));
}
@@ -4621,7 +4621,6 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification.
- // needs a nonce!!!!
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;