From 40a06771ff2a22f3801dfe174ca318cf4f67c1b1 Mon Sep 17 00:00:00 2001
From: Mike Macgirvin <mike@macgirvin.com>
Date: Thu, 5 Aug 2010 02:57:03 -0700
Subject: reciprocal verification on notify, poll

---
 include/poller.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'include/poller.php')

diff --git a/include/poller.php b/include/poller.php
index e0b4d79b2..be073b93b 100644
--- a/include/poller.php
+++ b/include/poller.php
@@ -84,11 +84,21 @@ echo "XML: " . $xml;
 
 		$res = simplexml_load_string($xml);
 
-		if((intval($res->status) != 0) || (! strlen($res->challenge)) || ($res->dfrn_id != $contact['dfrn-id']))
+		if((intval($res->status) != 0) || (! strlen($res->challenge)) || (! strlen($res->dfrn_id)))
 			continue;
 
 		$postvars = array();
 
+		$sent_dfrn_id = hex2bin($res->dfrn_id);
+
+		$final_dfrn_id = '';
+		openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']);
+		$final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
+		if($final_dfrn_id != $contact['dfrn-id']) {
+			// did not decode properly - cannot trust this site 
+			continue;
+		}
+
 		$postvars['dfrn_id'] = $contact['dfrn-id'];
 		$challenge = hex2bin($res->challenge);
 
-- 
cgit v1.2.3