diff options
Diffstat (limited to 'Zotlabs/Module/Getfile.php')
-rw-r--r-- | Zotlabs/Module/Getfile.php | 57 |
1 files changed, 46 insertions, 11 deletions
diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php index 413a68e0c..3f84b4050 100644 --- a/Zotlabs/Module/Getfile.php +++ b/Zotlabs/Module/Getfile.php @@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller { function post() { - logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); - + $header_verification = false; + $hash = $_POST['hash']; $time = $_POST['time']; $sig = $_POST['signature']; $resource = $_POST['resource']; $revision = intval($_POST['revision']); $resolution = (-1); - + if(! $hash) killme(); + + foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { + if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { + if($head !== 'HTTP_AUTHORIZATION') { + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; + continue; + } + + $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]); + if($sigblock) { + $keyId = $sigblock['keyId']; + + if($keyId) { + $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash + where hubloc_addr = '%s' limit 1", + dbesc(str_replace('acct:','',$keyId)) + ); + if($r) { + $hubloc = $r[0]; + $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); + if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) { + $header_verified = true; + } + } + } + } + } + } + + + logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); + if($header_verified) { + logger('HTTPSig verified'); + } $channel = channelx_by_hash($hash); @@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller { $d1 = datetime_convert('UTC','UTC',"now + $slop minutes"); $d2 = datetime_convert('UTC','UTC',"now - $slop minutes"); - if(($time > $d1) || ($time < $d2)) { - logger('time outside allowable range'); - killme(); - } + if(! $header_verified) { + if(($time > $d1) || ($time < $d2)) { + logger('time outside allowable range'); + killme(); + } - if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { - logger('verify failed.'); - killme(); + if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { + logger('verify failed.'); + killme(); + } } - if($resolution > 0) { $r = q("select * from photo where resource_id = '%s' and uid = %d limit 1", |