aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2016-12-26 13:10:24 -0800
committerzotlabs <mike@macgirvin.com>2016-12-26 13:10:24 -0800
commitb530d1d44981df955842f4f572676db83d18084e (patch)
tree52464bc1155a964cb9443c83ebcc262782ce36a9 /include
parent56219f9f61a32e5733a8c6315637bfae13e38fc0 (diff)
downloadvolse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.tar.gz
volse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.tar.bz2
volse-hubzilla-b530d1d44981df955842f4f572676db83d18084e.zip
perform input validation on xchan_store and re-enable the post method of the xchan api endpoint.
Diffstat (limited to 'include')
-rw-r--r--include/api_zot.php4
-rw-r--r--include/hubloc.php8
2 files changed, 10 insertions, 2 deletions
diff --git a/include/api_zot.php b/include/api_zot.php
index d1979c3ae..82de85454 100644
--- a/include/api_zot.php
+++ b/include/api_zot.php
@@ -334,8 +334,8 @@
logger('api_xchan');
require_once('include/hubloc.php');
- if($_SERVER['REQUEST_METHOD'] === 'POST') {
- // $r = xchan_store($_REQUEST);
+ if($_SERVER['REQUEST_METHOD'] === 'POST') {
+ $r = xchan_store($_REQUEST);
}
$r = xchan_fetch($_REQUEST);
json_return_and_die($r);
diff --git a/include/hubloc.php b/include/hubloc.php
index 17f921f67..6f81ea31f 100644
--- a/include/hubloc.php
+++ b/include/hubloc.php
@@ -200,6 +200,14 @@ function xchan_store($arr) {
if(! $arr['photo'])
$arr['photo'] = z_root() . '/' . get_default_profile_photo();
+
+ if($arr['network'] === 'zot') {
+ if((! $arr['key']) || (! rsa_verify($arr['guid'],base64url_decode($arr['guid_sig']),$arr['key']))) {
+ logger('Unable to verify signature for ' . $arr['hash']);
+ return false;
+ }
+ }
+
$r = q("insert into xchan ( xchan_hash, xchan_guid, xchan_guid_sig, xchan_pubkey, xchan_addr, xchan_url, xchan_connurl, xchan_follow, xchan_connpage, xchan_name, xchan_network, xchan_instance_url, xchan_hidden, xchan_orphan, xchan_censored, xchan_selfcensored, xchan_system, xchan_pubforum, xchan_deleted, xchan_name_date ) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s','%s','%s','%s',%d, %d, %d, %d, %d, %d, %d, '%s') ",
dbesc($arr['hash']),
dbesc($arr['guid']),