From aca2e3b52ae44b5abe2681bc03351feb150e47ef Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Fri, 2 Nov 2012 15:34:35 -0700
Subject: add key passing and verification to targeted discovery

---
 mod/zfinger.php | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'mod/zfinger.php')

diff --git a/mod/zfinger.php b/mod/zfinger.php
index ea8da0c23..5567f85cf 100644
--- a/mod/zfinger.php
+++ b/mod/zfinger.php
@@ -7,11 +7,19 @@ function zfinger_init(&$a) {
 
 	$ret = array('success' => false);
 
-	$zguid   = ((x($_REQUEST,'guid'))        ? $_REQUEST['guid'] : '');
-	$zaddr   = ((x($_REQUEST,'address'))     ? $_REQUEST['address'] : '');
-	$ztarget = ((x($_REQUEST,'target'))      ? trim($_REQUEST['target'])  : '');
-	$zsig    = ((x($_REQUEST,'target_sig'))  ? trim($_REQUEST['target_sig'])  : '');
-
+	$zguid   = ((x($_REQUEST,'guid'))        ? $_REQUEST['guid']       : '');
+	$zaddr   = ((x($_REQUEST,'address'))     ? $_REQUEST['address']    : '');
+	$ztarget = ((x($_REQUEST,'target'))      ? $_REQUEST['target']     : '');
+	$zsig    = ((x($_REQUEST,'target_sig'))  ? $_REQUEST['target_sig'] : '');
+	$zkey    = ((x($_REQUEST,'key'))         ? $_REQUEST['key']        : '');
+
+	if($ztarget) {
+		if((! $zkey) || (! $zsig) || (! rsa_verify($ztarget,base64url_decode($zsig),$zkey))) {
+			logger('zfinger: invalid target signature');
+			$ret['message'] = t("invalid target signature");
+			json_return_and_die($ret);
+		}
+	}
 
 	$r = null;
 
-- 
cgit v1.2.3