From c37eaff26331c49a2c8754f6d49c6145863f47ca Mon Sep 17 00:00:00 2001 From: redmatrix Date: Tue, 24 May 2016 23:05:00 -0700 Subject: require token signatures in zot_refresh, also move channel specific stuff into include/channel.php from include/connections.php --- .gitignore | 2 ++ Zotlabs/Daemon/Queue.php | 1 + include/channel.php | 23 +++++++++++++++++++++++ include/connections.php | 21 --------------------- include/zot.php | 26 ++++++++++++++++++++++++-- 5 files changed, 50 insertions(+), 23 deletions(-) diff --git a/.gitignore b/.gitignore index 6ceac139f..a5f149548 100755 --- a/.gitignore +++ b/.gitignore @@ -14,6 +14,8 @@ *.rej # OSX .DS_Store files .DS_Store +# version scripts (repo master only) +.version* Thumbs.db diff --git a/Zotlabs/Daemon/Queue.php b/Zotlabs/Daemon/Queue.php index c247be8e4..27306589d 100644 --- a/Zotlabs/Daemon/Queue.php +++ b/Zotlabs/Daemon/Queue.php @@ -6,6 +6,7 @@ require_once('include/queue_fn.php'); require_once('include/zot.php'); class Queue { + static public function run($argc,$argv) { require_once('include/items.php'); diff --git a/include/channel.php b/include/channel.php index 8f93ca16f..35084741f 100644 --- a/include/channel.php +++ b/include/channel.php @@ -1945,3 +1945,26 @@ function get_zcard_embed($channel,$observer_hash = '',$args = array()) { return $o; } + + +function channelx_by_nick($nick) { + $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_address = '%s' and channel_removed = 0 LIMIT 1", + dbesc($nick) + ); + return(($r) ? $r[0] : false); +} + +function channelx_by_hash($hash) { + $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_hash = '%s' and channel_removed = 0 LIMIT 1", + dbesc($hash) + ); + return(($r) ? $r[0] : false); +} + +function channelx_by_n($id) { + $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_id = %d and channel_removed = 0 LIMIT 1", + dbesc($id) + ); + return(($r) ? $r[0] : false); +} + diff --git a/include/connections.php b/include/connections.php index d9331f42f..d18383fad 100644 --- a/include/connections.php +++ b/include/connections.php @@ -48,27 +48,6 @@ function abook_self($channel_id) { return(($r) ? $r[0] : array()); } -function channelx_by_nick($nick) { - $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_address = '%s' and channel_removed = 0 LIMIT 1", - dbesc($nick) - ); - return(($r) ? $r[0] : false); -} - -function channelx_by_hash($hash) { - $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_hash = '%s' and channel_removed = 0 LIMIT 1", - dbesc($hash) - ); - return(($r) ? $r[0] : false); -} - -function channelx_by_n($id) { - $r = q("SELECT * FROM channel left join xchan on channel_hash = xchan_hash WHERE channel_id = %d and channel_removed = 0 LIMIT 1", - dbesc($id) - ); - return(($r) ? $r[0] : false); -} - function vcard_from_xchan($xchan, $observer = null, $mode = '') { diff --git a/include/zot.php b/include/zot.php index 9ed3d7d03..b6424c272 100644 --- a/include/zot.php +++ b/include/zot.php @@ -329,8 +329,12 @@ function zot_refresh($them, $channel = null, $force = false) { return false; } + $token = random_string(); + $postvars = array(); + $postvars['token'] = $token; + if($channel) { $postvars['target'] = $channel['channel_guid']; $postvars['target_sig'] = $channel['channel_guid_sig']; @@ -343,11 +347,13 @@ function zot_refresh($them, $channel = null, $force = false) { $postvars['guid_hash'] = $them['xchan_hash']; if (array_key_exists('xchan_guid',$them) && $them['xchan_guid'] && array_key_exists('xchan_guid_sig',$them) && $them['xchan_guid_sig']) { - $postvars['guid'] = $them['xchan_guid']; $postvars['guid_sig'] = $them['xchan_guid_sig']; + } + $token = random_string(); + $rhs = '/.well-known/zot-info'; $result = z_post_url($url . $rhs,$postvars); @@ -363,6 +369,22 @@ function zot_refresh($them, $channel = null, $force = false) { return false; } + $signed_token = ((is_array($j) && array_key_exists('signed_token',$j)) ? $j['signed_token'] : null); + if($signed_token) { + $valid = rsa_verify('token.' . $token,base64url_decode($signed_token),$j['key']); + if(! $valid) { + logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN); + return false; + } + } + else { + logger('No signed token from ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN); + // after 2017-01-01 this will be a hard error unless you over-ride it. + if((time() > 1483228800) && (! get_config('system','allow_unsigned_zotfinger'))) { + return false; + } + } + $x = import_xchan($j, (($force) ? UPDATE_FLAGS_FORCED : UPDATE_FLAGS_UPDATED)); if(! $x['success']) @@ -1493,7 +1515,7 @@ function public_recips($msg) { /** * @brief * - * This is the second part of public_recipes(). + * This is the second part of public_recips(). * We'll find all the channels willing to accept public posts from us, then * match them against the sender privacy scope and see who in that list that * the sender is allowing. -- cgit v1.2.3