aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/zot.php8
-rw-r--r--mod/zfinger.php18
-rw-r--r--version.inc2
3 files changed, 18 insertions, 10 deletions
diff --git a/include/zot.php b/include/zot.php
index b577493b3..46400f597 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -75,7 +75,6 @@ function zot_notify($channel,$url) {
function zot_finger($webbie,$channel) {
- logger('zot_finger:' . print_r($channel,true));
if(strpos($webbie,'@') === false) {
$address = $webbie;
$host = get_app()->get_hostname();
@@ -105,9 +104,10 @@ function zot_finger($webbie,$channel) {
if($channel) {
$postvars = array(
- 'address' => $address,
- 'target' => $channel['channel_guid'],
- 'target_sig' => $channel['channel_guid_sig']
+ 'address' => $address,
+ 'target' => $channel['channel_guid'],
+ 'target_sig' => $channel['channel_guid_sig'],
+ 'key' => $channel['channel_pubkey']
);
$result = z_post_url($url . $rhs,$postvars);
if(! $result['success'])
diff --git a/mod/zfinger.php b/mod/zfinger.php
index ea8da0c23..5567f85cf 100644
--- a/mod/zfinger.php
+++ b/mod/zfinger.php
@@ -7,11 +7,19 @@ function zfinger_init(&$a) {
$ret = array('success' => false);
- $zguid = ((x($_REQUEST,'guid')) ? $_REQUEST['guid'] : '');
- $zaddr = ((x($_REQUEST,'address')) ? $_REQUEST['address'] : '');
- $ztarget = ((x($_REQUEST,'target')) ? trim($_REQUEST['target']) : '');
- $zsig = ((x($_REQUEST,'target_sig')) ? trim($_REQUEST['target_sig']) : '');
-
+ $zguid = ((x($_REQUEST,'guid')) ? $_REQUEST['guid'] : '');
+ $zaddr = ((x($_REQUEST,'address')) ? $_REQUEST['address'] : '');
+ $ztarget = ((x($_REQUEST,'target')) ? $_REQUEST['target'] : '');
+ $zsig = ((x($_REQUEST,'target_sig')) ? $_REQUEST['target_sig'] : '');
+ $zkey = ((x($_REQUEST,'key')) ? $_REQUEST['key'] : '');
+
+ if($ztarget) {
+ if((! $zkey) || (! $zsig) || (! rsa_verify($ztarget,base64url_decode($zsig),$zkey))) {
+ logger('zfinger: invalid target signature');
+ $ret['message'] = t("invalid target signature");
+ json_return_and_die($ret);
+ }
+ }
$r = null;
diff --git a/version.inc b/version.inc
index da315233a..951e4f480 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2012-11-01.125
+2012-11-02.126