Merge pull request #6906 from annando/http-sign-photo

Use HTTP-Signature to authenticate when fetching photos.
This commit is contained in:
Hypolite Petovan 2019-03-18 20:15:38 -04:00 committed by GitHub
commit d23e877b21
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 82 additions and 47 deletions

View File

@ -45,6 +45,9 @@ class Photo extends BaseModule
exit; exit;
} }
/// @todo Add Authentication to enable fetching of non public content
// $requester = HTTPSignature::getSigner('', $_SERVER);
$customsize = 0; $customsize = 0;
$photo = false; $photo = false;
switch($a->argc) { switch($a->argc) {

View File

@ -10,8 +10,9 @@ use Friendica\Core\L10n;
use Friendica\Core\System; use Friendica\Core\System;
use Friendica\Model\Photo; use Friendica\Model\Photo;
use Friendica\Object\Image; use Friendica\Object\Image;
use Friendica\Util\Network; use Friendica\Util\HTTPSignature;
use Friendica\Util\Proxy as ProxyUtils; use Friendica\Util\Proxy as ProxyUtils;
use Friendica\Core\Logger;
/** /**
* @brief Module Proxy * @brief Module Proxy
@ -81,30 +82,27 @@ class Proxy extends BaseModule
// Try to use photo from db // Try to use photo from db
self::responseFromDB($request); self::responseFromDB($request);
// //
// If script is here, the requested url has never cached before. // If script is here, the requested url has never cached before.
// Let's fetch it, scale it if required, then save it in cache. // Let's fetch it, scale it if required, then save it in cache.
// //
// It shouldn't happen but it does - spaces in URL // It shouldn't happen but it does - spaces in URL
$request['url'] = str_replace(' ', '+', $request['url']); $request['url'] = str_replace(' ', '+', $request['url']);
$redirects = 0; $fetchResult = HTTPSignature::fetchRaw($request['url'], local_user(), true, ['timeout' => 10]);
$fetchResult = Network::fetchUrlFull($request['url'], true, $redirects, 10);
$img_str = $fetchResult->getBody(); $img_str = $fetchResult->getBody();
$tempfile = tempnam(get_temppath(), 'cache');
file_put_contents($tempfile, $img_str);
$mime = mime_content_type($tempfile);
unlink($tempfile);
// If there is an error then return a blank image // If there is an error then return a blank image
if ((substr($fetchResult->getReturnCode(), 0, 1) == '4') || (!$img_str)) { if ((substr($fetchResult->getReturnCode(), 0, 1) == '4') || (!$img_str)) {
self::responseError(); self::responseError();
// stop. // stop.
} }
$tempfile = tempnam(get_temppath(), 'cache');
file_put_contents($tempfile, $img_str);
$mime = mime_content_type($tempfile);
unlink($tempfile);
$image = new Image($img_str, $mime); $image = new Image($img_str, $mime);
if (!$image->isValid()) { if (!$image->isValid()) {
self::responseError(); self::responseError();
@ -160,7 +158,6 @@ class Proxy extends BaseModule
$size = 1024; $size = 1024;
$sizetype = ''; $sizetype = '';
// Look for filename in the arguments // Look for filename in the arguments
if (($a->argc > 1) && !isset($_REQUEST['url'])) { if (($a->argc > 1) && !isset($_REQUEST['url'])) {
if (isset($a->argv[3])) { if (isset($a->argv[3])) {
@ -277,8 +274,8 @@ class Proxy extends BaseModule
* @throws \Friendica\Network\HTTPException\InternalServerErrorException * @throws \Friendica\Network\HTTPException\InternalServerErrorException
* @throws \ImagickException * @throws \ImagickException
*/ */
private static function responseFromDB(&$request) { private static function responseFromDB(&$request)
{
$photo = Photo::getPhoto($request['urlhash']); $photo = Photo::getPhoto($request['urlhash']);
if ($photo !== false) { if ($photo !== false) {
@ -292,7 +289,8 @@ class Proxy extends BaseModule
* @brief Output a blank image, without cache headers, in case of errors * @brief Output a blank image, without cache headers, in case of errors
* *
*/ */
private static function responseError() { private static function responseError()
{
header('Content-type: image/png'); header('Content-type: image/png');
echo file_get_contents('images/blank.png'); echo file_get_contents('images/blank.png');
exit(); exit();
@ -319,5 +317,3 @@ class Proxy extends BaseModule
exit(); exit();
} }
} }

View File

@ -328,8 +328,46 @@ class HTTPSignature
*/ */
public static function fetch($request, $uid) public static function fetch($request, $uid)
{ {
$owner = User::getOwnerDataById($uid); $opts = ['accept_content' => 'application/activity+json, application/ld+json'];
$curlResult = self::fetchRaw($request, $uid, false, $opts);
if (empty($curlResult)) {
return false;
}
if (!$curlResult->isSuccess() || empty($curlResult->getBody())) {
return false;
}
$content = json_decode($curlResult->getBody(), true);
if (empty($content) || !is_array($content)) {
return false;
}
return $content;
}
/**
* @brief Fetches raw data for a user
*
* @param string $request request url
* @param integer $uid User id of the requester
* @param boolean $binary TRUE if asked to return binary results (file download) (default is "false")
* @param array $opts (optional parameters) assoziative array with:
* 'accept_content' => supply Accept: header with 'accept_content' as the value
* 'timeout' => int Timeout in seconds, default system config value or 60 seconds
* 'http_auth' => username:password
* 'novalidate' => do not validate SSL certs, default is to validate using our CA list
* 'nobody' => only return the header
* 'cookiejar' => path to cookie jar file
*
* @return object CurlResult
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
public static function fetchRaw($request, $uid = 0, $binary = false, $opts = [])
{
if (!empty($uid)) {
$owner = User::getOwnerDataById($uid);
if (!$owner) { if (!$owner) {
return; return;
} }
@ -346,25 +384,23 @@ class HTTPSignature
$signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256')); $signature = base64_encode(Crypto::rsaSign($signed_data, $owner['uprvkey'], 'sha256'));
$headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"'; $headers[] = 'Signature: keyId="' . $owner['url'] . '#main-key' . '",algorithm="rsa-sha256",headers="(request-target) date host",signature="' . $signature . '"';
} else {
$headers = [];
}
$headers[] = 'Accept: application/activity+json, application/ld+json'; if (!empty($opts['accept_content'])) {
$headers[] = 'Accept: ' . $opts['accept_content'];
}
$curlResult = Network::curl($request, false, $redirects, ['header' => $headers]); $curl_opts = $opts;
$curl_opts['header'] = $headers;
$curlResult = Network::curl($request, false, $redirects, $curl_opts);
$return_code = $curlResult->getReturnCode(); $return_code = $curlResult->getReturnCode();
Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG); Logger::log('Fetched for user ' . $uid . ' from ' . $request . ' returned ' . $return_code, Logger::DEBUG);
if (!$curlResult->isSuccess() || empty($curlResult->getBody())) { return $curlResult;
return false;
}
$content = json_decode($curlResult->getBody(), true);
if (empty($content) || !is_array($content)) {
return false;
}
return $content;
} }
/** /**