clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Enable remote authentication with HTTP Signatures

Browse Source
This commit is contained in:
Michael
2019-03-19 06:44:51 +00:00
parent d23e877b21
commit 0aab620d32
4 changed files with 66 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/Util/HTTPSignature.php
View File

@@ -488,8 +488,10 @@ class HTTPSignature
return false;
}
$hasGoodSignedContent = false;
// Check the digest when it is part of the signed data
if (in_array('digest', $sig_block['headers'])) {
if (!empty($content) && in_array('digest', $sig_block['headers'])) {
$digest = explode('=', $headers['digest'], 2);
if ($digest[0] === 'SHA-256') {
$hashalg = 'sha256';
@@ -503,6 +505,8 @@ class HTTPSignature
if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
return false;
}
$hasGoodSignedContent = true;
}
// Check if the signed date field is in an acceptable range
@@ -512,6 +516,7 @@ class HTTPSignature
Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid.");
return false;
}
$hasGoodSignedContent = true;
}
// Check the content-length when it is part of the signed data
@@ -521,6 +526,12 @@ class HTTPSignature
}
}
// Ensure that the authentication had been done with some content
// Without this check someone could authenticate with fakeable data
if (!$hasGoodSignedContent) {
return false;
}
return $key['url'];
}