From 2c797807cd63850055fc65e445a605aee106530a Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 8 Oct 2018 20:56:20 -0700 Subject: whitespace --- include/channel.php | 3 --- 1 file changed, 3 deletions(-) diff --git a/include/channel.php b/include/channel.php index 6a934cb82..22cdb9fe7 100644 --- a/include/channel.php +++ b/include/channel.php @@ -2602,8 +2602,6 @@ function channel_remove($channel_id, $local = true, $unset_session = false) { } } - - $r = q("select id from item where uid = %d", intval($channel_id)); if($r) { foreach($r as $rv) { @@ -2611,7 +2609,6 @@ function channel_remove($channel_id, $local = true, $unset_session = false) { } } - q("delete from abook where abook_xchan = '%s' and abook_self = 1 ", dbesc($channel['channel_hash']) ); -- cgit v1.2.3 From c6f3298f7864756f4a9b7827e8490a3ee859f82f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 9 Oct 2018 22:37:53 -0700 Subject: SECURITY: signature issue --- Zotlabs/Module/Magic.php | 7 ++++++- Zotlabs/Module/Owa.php | 2 +- Zotlabs/Web/HTTPSig.php | 15 +++++++++++++++ Zotlabs/Zot/Finger.php | 7 +++++++ 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php index be6866592..71737eef8 100644 --- a/Zotlabs/Module/Magic.php +++ b/Zotlabs/Module/Magic.php @@ -146,12 +146,17 @@ class Magic extends \Zotlabs\Web\Controller { $dest = strip_zids($dest); $dest = strip_query_param($dest,'f'); + $data = json_encode([ 'OpenWebAuth' => random_string() ]); + $headers = []; $headers['Accept'] = 'application/x-zot+json' ; $headers['X-Open-Web-Auth'] = random_string(); + $headers['Host'] = $parsed['host']; + $headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false); + $headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512'); - $x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]); + $x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]); if($x['success']) { $j = json_decode($x['body'],true); diff --git a/Zotlabs/Module/Owa.php b/Zotlabs/Module/Owa.php index da26748b3..4a488086f 100644 --- a/Zotlabs/Module/Owa.php +++ b/Zotlabs/Module/Owa.php @@ -45,7 +45,7 @@ class Owa extends \Zotlabs\Web\Controller { } if($r) { foreach($r as $hubloc) { - $verified = \Zotlabs\Web\HTTPSig::verify('',$hubloc['xchan_pubkey']); + $verified = \Zotlabs\Web\HTTPSig::verify(file_get_contents('php://input'),$hubloc['xchan_pubkey']); if($verified && $verified['header_signed'] && $verified['header_valid']) { logger('OWA header: ' . print_r($verified,true),LOGGER_DATA); logger('OWA success: ' . $hubloc['hubloc_addr'],LOGGER_DATA); diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php index df66ecf5c..ec7bb0d67 100644 --- a/Zotlabs/Web/HTTPSig.php +++ b/Zotlabs/Web/HTTPSig.php @@ -104,6 +104,21 @@ class HTTPSig { if(strpos($h,'.')) { $spoofable = true; } + if($h === 'host' && (strpos(strtolower(\App::get_hostname()),strtolower($headers[$h])) === false)) { + logger('bad host: ' . $sig_block['keyId'] . ' != ' . $headers[$h]); + return $result; + } + if($h === 'date') { + $d = new \DateTime($headers[$h]); + $d->setTimeZone(new \DateTimeZone('UTC')); + $dplus = datetime_convert('UTC','UTC','now + 1 day'); + $dminus = datetime_convert('UTC','UTC','now - 1 day'); + $c = $d->format('Y-m-d H:i:s'); + if($c > $dplus || $c < $dminus) { + logger('bad time: ' . $c); + return $result; + } + } } $signed_data = rtrim($signed_data,"\n"); diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php index 559f9657a..1d20f5822 100644 --- a/Zotlabs/Zot/Finger.php +++ b/Zotlabs/Zot/Finger.php @@ -71,6 +71,11 @@ class Finger { $url = 'https://' . $host; } + $m = parse_url($url); + if($m) { + $parsed_host = strtolower($m['host']); + } + $rhs = '/.well-known/zot-info'; $https = ((strpos($url,'https://') === 0) ? true : false); @@ -88,6 +93,8 @@ class Finger { $headers = []; $headers['X-Zot-Channel'] = $channel['channel_address'] . '@' . \App::get_hostname(); $headers['X-Zot-Nonce'] = random_string(); + $headers['Host'] = $parsed['host']; + $xhead = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'], 'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false); -- cgit v1.2.3