From c6bfd5e7befedf79ab6f7e70902e5fb2aa69fa6f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Thu, 11 Oct 2018 21:28:47 -0700 Subject: verify some edge case http signatures --- Zotlabs/Web/HTTPSig.php | 6 ++---- include/network.php | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index ec7bb0d67..f27aa0556 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -52,6 +52,7 @@ class HTTPSig { $h = new \Zotlabs\Web\HTTPHeaders($data['header']); $headers = $h->fetcharr(); $body = $data['body']; + $headers['(request-target)'] = $data['request_target']; } else { @@ -60,6 +61,7 @@ class HTTPSig { strtolower($_SERVER['REQUEST_METHOD']) . ' ' . $_SERVER['REQUEST_URI']; $headers['content-type'] = $_SERVER['CONTENT_TYPE']; + $headers['content-length'] = $_SERVER['CONTENT_LENGTH']; foreach($_SERVER as $k => $v) { if(strpos($k,'HTTP_') === 0) { @@ -104,10 +106,6 @@ class HTTPSig { if(strpos($h,'.')) { $spoofable = true; } - if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) { - logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]); - return $result; - } if($h === 'date') { $d = new \DateTime($headers[$h]); $d->setTimeZone(new \DateTimeZone('UTC')); diff --git a/include/network.php b/include/network.php index 5ae02deff..4c9813768 100644 --- a/include/network.php +++ b/include/network.php @@ -48,6 +48,10 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) { if(($redirects > 8) || (! $ch)) return $ret; + if(! array_key_exists('request_target',$opts)) { + $opts['request_target'] = 'get ' . get_request_string($url); + } + @curl_setopt($ch, CURLOPT_HEADER, true); @curl_setopt($ch, CURLINFO_HEADER_OUT, true); @curl_setopt($ch, CURLOPT_CAINFO, get_capath()); @@ -179,6 +183,7 @@ function z_fetch_url($url, $binary = false, $redirects = 0, $opts = array()) { } $ret['body'] = substr($s,strlen($header)); $ret['header'] = $header; + $ret['request_target'] = $opts['request_target']; if(x($opts,'debug')) { $ret['debug'] = $curl_info; @@ -227,6 +232,10 @@ function z_post_url($url, $params, $redirects = 0, $opts = array()) { if(($redirects > 8) || (! $ch)) return $ret; + if(! array_key_exists('request_target',$opts)) { + $opts['request_target'] = 'get ' . get_request_string($url); + } + @curl_setopt($ch, CURLOPT_HEADER, true); @curl_setopt($ch, CURLINFO_HEADER_OUT, true); @curl_setopt($ch, CURLOPT_CAINFO, get_capath()); @@ -359,6 +368,7 @@ function z_post_url($url, $params, $redirects = 0, $opts = array()) { $ret['body'] = substr($s, strlen($header)); $ret['header'] = $header; + $ret['request_target'] = $opts['request_target']; if(x($opts,'debug')) { $ret['debug'] = $curl_info; @@ -2080,3 +2090,17 @@ function jsonld_document_loader($url) { return []; } + +/** + * @brief Given a URL, return everything after the host portion. + * example https://foobar.com/gravy?g=5&y=6 + * returns /gravy?g=5&y=6 + * result always returns the leading slash + */ + +function get_request_string($url) { + + $a = explode('/',$url,4); + return '/' . ((count($a) > 3) ? $a[3] : EMPTY_STR); + +} -- cgit v1.2.3