diff options
author | friendica <info@friendica.com> | 2013-09-24 05:20:29 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2013-09-24 05:20:29 -0700 |
commit | d4ea56a77ef408347a9d73b36e8066334b8835ea (patch) | |
tree | 8fd5a50d2c14e93736d33e7a1b5858e94371ad5d /mod | |
parent | 1f916adfb889c877ff975be75274fb7f3ac37b1f (diff) | |
download | volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.gz volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.tar.bz2 volse-hubzilla-d4ea56a77ef408347a9d73b36e8066334b8835ea.zip |
reduce susceptibility to bleichenberger attack
Diffstat (limited to 'mod')
-rw-r--r-- | mod/post.php | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/mod/post.php b/mod/post.php index 378192cbf..0e1884d85 100644 --- a/mod/post.php +++ b/mod/post.php @@ -174,18 +174,30 @@ function post_post(&$a) { if(array_key_exists('iv',$data)) { $data = aes_unencapsulate($data,get_config('system','prvkey')); logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA); - if(! $data) { - $ret['message'] = 'Decryption failed.'; - json_return_and_die($ret); - } + +// susceptible to Bleichenberger attack +// if(! $data) { +// $ret['message'] = 'Decryption failed.'; +// json_return_and_die($ret); +// } $data = json_decode($data,true); } if(! $data) { - $ret['message'] = 'No data received.'; - json_return_and_die($ret); + + // possible Bleichenberger attack, just treat it as a + // message we have no handler for. It should fail a bit + // further along with "no hub". Our public key is public + // knowledge. There's no reason why anybody should get the + // encryption wrong unless they're fishing or hacking. If + // they're developing and made a goof, this can be discovered + // in the logs of the destination site. If they're fishing or + // hacking, the bottom line is we can't verify their hub. + // That's all we're going to tell them. + + $data = array('type' => 'bogus'); } logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA); |