aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Module/Getfile.php57
-rw-r--r--include/import.php9
2 files changed, 54 insertions, 12 deletions
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php
index 413a68e0c..3f84b4050 100644
--- a/Zotlabs/Module/Getfile.php
+++ b/Zotlabs/Module/Getfile.php
@@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller {
function post() {
- logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
-
+ $header_verification = false;
+
$hash = $_POST['hash'];
$time = $_POST['time'];
$sig = $_POST['signature'];
$resource = $_POST['resource'];
$revision = intval($_POST['revision']);
$resolution = (-1);
-
+
if(! $hash)
killme();
+
+ foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) {
+ if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') {
+ if($head !== 'HTTP_AUTHORIZATION') {
+ $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head];
+ continue;
+ }
+
+ $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]);
+ if($sigblock) {
+ $keyId = $sigblock['keyId'];
+
+ if($keyId) {
+ $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash
+ where hubloc_addr = '%s' limit 1",
+ dbesc(str_replace('acct:','',$keyId))
+ );
+ if($r) {
+ $hubloc = $r[0];
+ $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']);
+ if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) {
+ $header_verified = true;
+ }
+ }
+ }
+ }
+ }
+ }
+
+
+ logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO);
+ if($header_verified) {
+ logger('HTTPSig verified');
+ }
$channel = channelx_by_hash($hash);
@@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller {
$d1 = datetime_convert('UTC','UTC',"now + $slop minutes");
$d2 = datetime_convert('UTC','UTC',"now - $slop minutes");
- if(($time > $d1) || ($time < $d2)) {
- logger('time outside allowable range');
- killme();
- }
+ if(! $header_verified) {
+ if(($time > $d1) || ($time < $d2)) {
+ logger('time outside allowable range');
+ killme();
+ }
- if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
- logger('verify failed.');
- killme();
+ if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) {
+ logger('verify failed.');
+ killme();
+ }
}
-
if($resolution > 0) {
$r = q("select * from photo where resource_id = '%s' and uid = %d limit 1",
diff --git a/include/import.php b/include/import.php
index 702fa7e54..8cab16342 100644
--- a/include/import.php
+++ b/include/import.php
@@ -1199,7 +1199,14 @@ function sync_files($channel, $files) {
continue;
}
$redirects = 0;
- $x = z_post_url($fetch_url,$parr,$redirects,array('filep' => $fp));
+
+
+ $headers = [];
+ $headers['Accept'] = 'application/x-zot+json' ;
+ $headers['Sigtoken'] = random_string();
+ $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
+
+ $x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]);
fclose($fp);
if($x['success']) {