From 4e69467b14a01ae3cfded0d75f9cbe6d0b4656c7 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Wed, 10 Oct 2018 05:37:53 +0000
Subject: SECURITY: signature issue

(cherry picked from commit c6f3298f7864756f4a9b7827e8490a3ee859f82f)
---
 Zotlabs/Module/Magic.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'Zotlabs/Module/Magic.php')

diff --git a/Zotlabs/Module/Magic.php b/Zotlabs/Module/Magic.php
index be6866592..71737eef8 100644
--- a/Zotlabs/Module/Magic.php
+++ b/Zotlabs/Module/Magic.php
@@ -146,12 +146,17 @@ class Magic extends \Zotlabs\Web\Controller {
 				$dest = strip_zids($dest);
 				$dest = strip_query_param($dest,'f');
 
+				$data = json_encode([ 'OpenWebAuth' => random_string() ]);
+
 				$headers = [];
 				$headers['Accept'] = 'application/x-zot+json' ;
 				$headers['X-Open-Web-Auth'] = random_string();
+				$headers['Host'] = $parsed['host'];
+				$headers['Digest'] = 'SHA-256=' . \Zotlabs\Web\HTTPSig::generate_digest($data,false);
+
 				$headers = \Zotlabs\Web\HTTPSig::create_sig('',$headers,$channel['channel_prvkey'],
 					'acct:' . $channel['channel_address'] . '@' . \App::get_hostname(),false,true,'sha512');
-				$x = z_fetch_url($basepath . '/owa',false,$redirects,[ 'headers' => $headers ]);
+				$x = z_post_url($basepath . '/owa',$data,$redirects,[ 'headers' => $headers ]);
 
 				if($x['success']) {
 					$j = json_decode($x['body'],true);
-- 
cgit v1.2.3