Browse Source

avoid a security patch and resultant compatibility issues; instead restrict the input characters we accept in token verification strings to hex digits. This will all be changing in the coming weeks/months anyway.

disroot_master
zotlabs 3 years ago
parent
commit
6147f819ce
2 changed files with 1 additions and 3 deletions
  1. +0
    -1
      Zotlabs/Zot/Auth.php
  2. +1
    -2
      include/zot.php

+ 0
- 1
Zotlabs/Zot/Auth.php View File

@@ -167,7 +167,6 @@ class Auth {
dbesc($hubloc['hubloc_url'])
);

// needs a nonce!!!!
$p = zot_build_packet($channel,$type = 'auth_check',
array(array('guid' => $hubloc['hubloc_guid'],'guid_sig' => $hubloc['hubloc_guid_sig'])),
$hubloc['hubloc_sitekey'], (($x) ? $x[0]['site_crypto'] : ''), $this->sec);


+ 1
- 2
include/zot.php View File

@@ -137,7 +137,7 @@ function zot_build_packet($channel, $type = 'notify', $recipients = null, $remot
}

if ($secret) {
$data['secret'] = $secret;
$data['secret'] = preg_replace('/[^0-9a-fA-F]/','',$secret);
$data['secret_sig'] = base64url_encode(rsa_sign($secret,$channel['channel_prvkey'],$sig_method));
}

@@ -4621,7 +4621,6 @@ function zot_reply_auth_check($data,$encrypted_packet) {
// First verify their signature. We will have obtained a zot-info packet from them as part of the sender
// verification.

// needs a nonce!!!!
if ((! $y) || (! rsa_verify($data['secret'], base64url_decode($data['secret_sig']),$y[0]['xchan_pubkey']))) {
logger('mod_zot: auth_check: sender not found or secret_sig invalid.');
$ret['message'] .= 'sender not found or sig invalid ' . print_r($y,true) . EOL;


Loading…
Cancel
Save