aboutsummaryrefslogtreecommitdiffstats
path: root/mod
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-24 05:20:29 -0700
committerfriendica <info@friendica.com>2013-09-24 05:20:29 -0700
commitd4ea56a77ef408347a9d73b36e8066334b8835ea (patch)
tree8fd5a50d2c14e93736d33e7a1b5858e94371ad5d /mod
parent1f916adfb889c877ff975be75274fb7f3ac37b1f (diff)
downloadvolse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.gz
volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.bz2
volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.zip
reduce susceptibility to bleichenberger attack
Diffstat (limited to 'mod')
-rw-r--r--mod/post.php24
1 files changed, 18 insertions, 6 deletions
diff --git a/mod/post.php b/mod/post.php
index 378192cbf..0e1884d85 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -174,18 +174,30 @@ function post_post(&$a) {
if(array_key_exists('iv',$data)) {
$data = aes_unencapsulate($data,get_config('system','prvkey'));
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
- if(! $data) {
- $ret['message'] = 'Decryption failed.';
- json_return_and_die($ret);
- }
+
+// susceptible to Bleichenberger attack
+// if(! $data) {
+// $ret['message'] = 'Decryption failed.';
+// json_return_and_die($ret);
+// }
$data = json_decode($data,true);
}
if(! $data) {
- $ret['message'] = 'No data received.';
- json_return_and_die($ret);
+
+ // possible Bleichenberger attack, just treat it as a
+ // message we have no handler for. It should fail a bit
+ // further along with "no hub". Our public key is public
+ // knowledge. There's no reason why anybody should get the
+ // encryption wrong unless they're fishing or hacking. If
+ // they're developing and made a goof, this can be discovered
+ // in the logs of the destination site. If they're fishing or
+ // hacking, the bottom line is we can't verify their hub.
+ // That's all we're going to tell them.
+
+ $data = array('type' => 'bogus');
}
logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);