diff options
Diffstat (limited to 'Zotlabs/Web/HTTPSig.php')
| -rw-r--r-- | Zotlabs/Web/HTTPSig.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index 1f485a881..e9e262125 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -24,8 +24,9 @@ class HTTPSig { static function verify($data,$key = '') { - $body = $data; - $headers = null; + $body = $data; + $headers = null; + $spoofable = false; $result = [ 'signer' => '', @@ -80,6 +81,9 @@ class HTTPSig { if(array_key_exists($h,$headers)) { $signed_data .= $h . ': ' . $headers[$h] . "\n"; } + if(strpos($h,'.')) { + $spoofable = true; + } } $signed_data = rtrim($signed_data,"\n"); @@ -101,7 +105,8 @@ class HTTPSig { if($x === false) return $result; - $result['header_valid'] = true; + if(! $spoofable) + $result['header_valid'] = true; if(in_array('digest',$signed_headers)) { $result['content_signed'] = true; |