diff options
| author | zotlabs <mike@macgirvin.com> | 2017-09-05 17:12:31 -0700 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2017-09-05 17:12:31 -0700 |
| commit | 6147f819ce908d7a52f905658e827c48aad92074 (patch) | |
| tree | 5b1374914c359eab184ea6812778a67036e9f218 /include | |
| parent | 842a041a888434df7d6312db08ce805c5ee21bf7 (diff) | |
| download | volse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.tar.gz volse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.tar.bz2 volse-hubzilla-6147f819ce908d7a52f905658e827c48aad92074.zip | |
avoid a security patch and resultant compatibility issues; instead restrict the input characters we accept in token verification strings to hex digits. This will all be changing in the coming weeks/months anyway.
Diffstat (limited to 'include')
| -rw-r--r-- | include/zot.php | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/include/zot.php b/include/zot.php index 56bd7d212..cb213eff3 100644 --- a/include/zot.php +++ b/include/zot.php @@ -137,7 +137,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot } if ($secret) { - $data['secret'] = $secret; + $data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret); $data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method)); } @@ -4621,7 +4621,6 @@ function zot_reply_auth_check($data,$encrypted_packet) { // First verify their signature. We will have obtained a zot-info packet from them as part of the sender // verification. - // needs a nonce!!!! if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) { logger('mod_zot: auth_check: sender not found or secret_sig invalid.'); $ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL; |