From 5abcb8c97813d66b63ca697ca626347a9fd8d95c Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 29 Nov 2017 13:51:54 -0800 Subject: use httpsig auth for getfile --- Zotlabs/Module/Getfile.php | 57 +++++++++++++++++++++++++++++++++++++--------- include/import.php | 9 +++++++- 2 files changed, 54 insertions(+), 12 deletions(-) diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php index 413a68e0c..3f84b4050 100644 --- a/Zotlabs/Module/Getfile.php +++ b/Zotlabs/Module/Getfile.php @@ -28,17 +28,51 @@ class Getfile extends \Zotlabs\Web\Controller { function post() { - logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); - + $header_verification = false; + $hash = $_POST['hash']; $time = $_POST['time']; $sig = $_POST['signature']; $resource = $_POST['resource']; $revision = intval($_POST['revision']); $resolution = (-1); - + if(! $hash) killme(); + + foreach([ 'REDIRECT_REMOTE_USER', 'HTTP_AUTHORIZATION' ] as $head) { + if(array_key_exists($head,$_SERVER) && substr(trim($_SERVER[$head]),0,9) === 'Signature') { + if($head !== 'HTTP_AUTHORIZATION') { + $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER[$head]; + continue; + } + + $sigblock = \Zotlabs\Web\HTTPSig::parse_sigheader($_SERVER[$head]); + if($sigblock) { + $keyId = $sigblock['keyId']; + + if($keyId) { + $r = q("select * from hubloc left join xchan on hubloc_hash = xchan_hash + where hubloc_addr = '%s' limit 1", + dbesc(str_replace('acct:','',$keyId)) + ); + if($r) { + $hubloc = $r[0]; + $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); + if($verified && $verified['header_signed'] && $verified['header_valid'] && $hash == $hubloc['hubloc_hash']) { + $header_verified = true; + } + } + } + } + } + } + + + logger('post: ' . print_r($_POST,true),LOGGER_DEBUG,LOG_INFO); + if($header_verified) { + logger('HTTPSig verified'); + } $channel = channelx_by_hash($hash); @@ -59,16 +93,17 @@ class Getfile extends \Zotlabs\Web\Controller { $d1 = datetime_convert('UTC','UTC',"now + $slop minutes"); $d2 = datetime_convert('UTC','UTC',"now - $slop minutes"); - if(($time > $d1) || ($time < $d2)) { - logger('time outside allowable range'); - killme(); - } + if(! $header_verified) { + if(($time > $d1) || ($time < $d2)) { + logger('time outside allowable range'); + killme(); + } - if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { - logger('verify failed.'); - killme(); + if(! rsa_verify($hash . '.' . $time,base64url_decode($sig),$channel['channel_pubkey'])) { + logger('verify failed.'); + killme(); + } } - if($resolution > 0) { $r = q("select * from photo where resource_id = '%s' and uid = %d limit 1", diff --git a/include/import.php b/include/import.php index 702fa7e54..8cab16342 100644 --- a/include/import.php +++ b/include/import.php @@ -1199,7 +1199,14 @@ function sync_files($channel, $files) { continue; } $redirects = 0; - $x = z_post_url($fetch_url,$parr,$redirects,array('filep' => $fp)); + + + $headers = []; + $headers['Accept'] = 'application/x-zot+json' ; + $headers['Sigtoken'] = random_string(); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); + + $x = z_post_url($fetch_url,$parr,$redirects,[ 'filep' => $fp, 'headers' => $headers]); fclose($fp); if($x['success']) { -- cgit v1.2.3 From 6a4050cc9386effc86d2b0279c33ae1a1925a5ab Mon Sep 17 00:00:00 2001 From: zotlabs Date: Wed, 29 Nov 2017 14:08:30 -0800 Subject: use the same variable name consistently --- Zotlabs/Module/Getfile.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Getfile.php b/Zotlabs/Module/Getfile.php index 3f84b4050..abc9f50d9 100644 --- a/Zotlabs/Module/Getfile.php +++ b/Zotlabs/Module/Getfile.php @@ -28,7 +28,7 @@ class Getfile extends \Zotlabs\Web\Controller { function post() { - $header_verification = false; + $header_verified = false; $hash = $_POST['hash']; $time = $_POST['time']; -- cgit v1.2.3