aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/notifier.php4
-rw-r--r--mod/item.php2
-rw-r--r--mod/post.php29
3 files changed, 28 insertions, 7 deletions
diff --git a/include/notifier.php b/include/notifier.php
index 60cae2dc0..c805ef4cd 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -321,8 +321,8 @@ function notifier_run($argv, $argc){
$sql_extra = (($private) ? "" : " or hubloc_url = '" . z_root() . "' ");
- $r = q("select distinct(hubloc_callback),hubloc_host,hubloc_sitekey from hubloc
- where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_callback");
+ $r = q("select distinct hubloc_sitekey, hubloc_callback, hubloc_host from hubloc
+ where hubloc_hash in (" . implode(',',$recipients) . ") $sql_extra group by hubloc_sitekey");
if(! $r) {
logger('notifier: no hubs');
return;
diff --git a/mod/item.php b/mod/item.php
index a8d1bdf31..6678930ec 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -545,6 +545,8 @@ function item_post(&$a) {
echo json_encode(array('preview' => $o));
killme();
}
+ if($orig_post)
+ $datarray['edit'] = true;
call_hooks('post_local',$datarray);
diff --git a/mod/post.php b/mod/post.php
index 20100c032..286eb743d 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -200,17 +200,36 @@ function post_post(&$a) {
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
- // verify the url_sig
- $sitekey = $r[0]['hubloc_sitekey'];
-// logger('sitekey: ' . $sitekey);
- if(! rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
+ foreach ($r as $hubsite) {
+
+ // verify the url_sig
+ // If the server was re-installed at some point, there could be multiple hubs with the same url and callback.
+ // Only one will have a valid key.
+
+ $forgery = true;
+ $secret_fail = true;
+
+ $sitekey = $hubsite['hubloc_sitekey'];
+
+ // logger('sitekey: ' . $sitekey);
+
+ if(rsa_verify($data['callback'],base64url_decode($data['callback_sig']),$sitekey)) {
+ $forgery = false;
+ }
+ if(rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
+ $secret_fail = false;
+ }
+ if((! $forgery) && (! $secret_fail))
+ break;
+ }
+ if($forgery) {
$ret['message'] = 'possible site forgery';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);
}
- if(! rsa_verify($data['secret'],base64url_decode($data['secret_sig']),$sitekey)) {
+ if($secret_fail) {
$ret['message'] = 'secret validation failed';
logger('mod_zot: pickup: ' . $ret['message']);
json_return_and_die($ret);