diff options
-rw-r--r-- | include/notifier.php | 4 | ||||
-rw-r--r-- | mod/item.php | 2 | ||||
-rw-r--r-- | mod/post.php | 29 |
3 files changed, 28 insertions, 7 deletions
diff --git a/include/notifier.php b/include/notifier.php index 60cae2dc0..c805ef4cd 100644 --- a/include/notifier.php +++ b/include/notifier.php @@ -321,8 +321,8 @@ function notifier_run($argv, $argc){ $sql_extra = (($private) ? "" : " or hubloc_url = '" . z_root() . "' "); - $r = q("select distinct(hubloc_callback),hubloc_host,hubloc_sitekey from hubloc - where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_callback"); + $r = q("select distinct hubloc_sitekey, hubloc_callback, hubloc_host from hubloc + where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_sitekey"); if(! $r) { logger('notifier: no hubs'); return; diff --git a/mod/item.php b/mod/item.php index a8d1bdf31..6678930ec 100644 --- a/mod/item.php +++ b/mod/item.php @@ -545,6 +545,8 @@ function item_post(&$a) { echo json_encode(array('preview' => $o)); killme(); } + if($orig_post) + $datarray['edit'] = true; call_hooks('post_local',$datarray); diff --git a/mod/post.php b/mod/post.php index 20100c032..286eb743d 100644 --- a/mod/post.php +++ b/mod/post.php @@ -200,17 +200,36 @@ function post_post(&$a) { logger('mod_zot: pickup: ' . $ret['message']); json_return_and_die($ret); } - // verify the url_sig - $sitekey = $r[0]['hubloc_sitekey']; -// logger('sitekey: ' . $sitekey); - if(! rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) { + foreach ($r as $hubsite) { + + // verify the url_sig + // If the server was re-installed at some point, there could be multiple hubs with the same url and callback. + // Only one will have a valid key. + + $forgery = true; + $secret_fail = true; + + $sitekey = $hubsite['hubloc_sitekey']; + + // logger('sitekey: ' . $sitekey); + + if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) { + $forgery = false; + } + if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) { + $secret_fail = false; + } + if((! $forgery) && (! $secret_fail)) + break; + } + if($forgery) { $ret['message'] = 'possible site forgery'; logger('mod_zot: pickup: ' . $ret['message']); json_return_and_die($ret); } - if(! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) { + if($secret_fail) { $ret['message'] = 'secret validation failed'; logger('mod_zot: pickup: ' . $ret['message']); json_return_and_die($ret); |