From db82d303e217c2ca599a8b740ebb62339d373124 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Sun, 3 Sep 2017 17:12:42 -0700
Subject: only validate headers that aren't "spoofable", which will be somewhat
 implementation dependent.

---
 Zotlabs/Web/HTTPSig.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'Zotlabs/Web')

diff --git a/Zotlabs/Web/HTTPSig.php b/Zotlabs/Web/HTTPSig.php
index 1f485a881..e9e262125 100644
--- a/Zotlabs/Web/HTTPSig.php
+++ b/Zotlabs/Web/HTTPSig.php
@@ -24,8 +24,9 @@ class HTTPSig {
 
 	static function verify($data,$key = '') {
 
-		$body = $data;
-		$headers = null;
+		$body      = $data;
+		$headers   = null;
+		$spoofable = false;
 
 		$result = [
 			'signer'         => '',
@@ -80,6 +81,9 @@ class HTTPSig {
 			if(array_key_exists($h,$headers)) {
 				$signed_data .= $h . ': ' . $headers[$h] . "\n";
 			}
+			if(strpos($h,'.')) {
+				$spoofable = true;
+			}
 		}
 		$signed_data = rtrim($signed_data,"\n");
 
@@ -101,7 +105,8 @@ class HTTPSig {
 		if($x === false)
 			return $result;
 
-		$result['header_valid'] = true;
+		if(! $spoofable)
+			$result['header_valid'] = true;
 
 		if(in_array('digest',$signed_headers)) {
 			$result['content_signed'] = true;
-- 
cgit v1.2.3