aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Zotlabs/Web/HTTPSig.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 1f485a881..e9e262125 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -24,8 +24,9 @@ class HTTPSig {
static function verify($data,$key = '') {
- $body = $data;
- $headers = null;
+ $body = $data;
+ $headers = null;
+ $spoofable = false;
$result = [
'signer' => '',
@@ -80,6 +81,9 @@ class HTTPSig {
if(array_key_exists($h,$headers)) {
$signed_data .= $h . ': ' . $headers[$h] . "\n";
}
+ if(strpos($h,'.')) {
+ $spoofable = true;
+ }
}
$signed_data = rtrim($signed_data,"\n");
@@ -101,7 +105,8 @@ class HTTPSig {
if($x === false)
return $result;
- $result['header_valid'] = true;
+ if(! $spoofable)
+ $result['header_valid'] = true;
if(in_array('digest',$signed_headers)) {
$result['content_signed'] = true;