Friendica/friendica-github
1
0
Fork 1
mirror of https://github.com/friendica/friendica synced 2025-02-11 10:54:00 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #14700 from annando/get-signer

Browse source 
Issue 14692: Prevent loops with remote servers
This commit is contained in:
Hypolite Petovan 2025-01-22 20:50:41 -05:00 committed by GitHub
commit 3d1ab8c5b9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 38 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
src/Util/HTTPSignature.php
View file

@ -57,11 +57,13 @@ class HTTPSignature
// Decide if $data arrived via controller submission or curl.
$headers = [];
$headers['(request-target)'] = strtolower(DI::args()->getMethod()) . ' ' . $_SERVER['REQUEST_URI'];
foreach ($_SERVER as $k => $v) {
if (strpos($k, 'HTTP_') === 0) {
$field = str_replace('_', '-', strtolower(substr($k, 5)));
$headers[$field] = $v;
}
}
@ -98,6 +100,7 @@ class HTTPSignature
if ($key && function_exists($key)) {
$result['signer'] = $sig_block['keyId'];
$key = $key($sig_block['keyId']);
}
@ -387,7 +390,7 @@ class HTTPSignature
* @param int $gsid Server ID
* @throws \Exception
*/
static public function setInboxStatus(string $url, bool $success, bool $shared = false, int $gsid = null)
public static function setInboxStatus(string $url, bool $success, bool $shared = false, int $gsid = null)
{
$now = DateTimeFormat::utcNow();
@ -604,13 +607,14 @@ class HTTPSignature
/**
* Gets a signer from a given HTTP request
*
* @param string $content
* @param array $http_headers
* @param string $content Body of the request
* @param array $http_headers array containing the HTTP headers
* @param ?boolean $update true = always update, false = never update, null = update when not found or outdated
*
* @return string|null|false Signer
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
public static function getSigner(string $content, array $http_headers)
public static function getSigner(string $content, array $http_headers, ?bool $update = null)
{
if (empty($http_headers['HTTP_SIGNATURE'])) {
DI::logger()->debug('No HTTP_SIGNATURE header');
@ -630,11 +634,13 @@ class HTTPSignature
}
$headers = [];
$headers['(request-target)'] = strtolower(DI::args()->getMethod()) . ' ' . parse_url($http_headers['REQUEST_URI'], PHP_URL_PATH);
// First take every header
foreach ($http_headers as $k => $v) {
$field = str_replace('_', '-', strtolower($k));
$headers[$field] = $v;
}
@ -642,6 +648,7 @@ class HTTPSignature
foreach ($http_headers as $k => $v) {
if (strpos($k, 'HTTP_') === 0) {
$field = str_replace('_', '-', strtolower(substr($k, 5)));
$headers[$field] = $v;
}
}
@ -700,7 +707,7 @@ class HTTPSignature
return false;
}
$key = self::fetchKey($sig_block['keyId'], $actor);
$key = self::fetchKey($sig_block['keyId'], $actor, $update);
if (empty($key)) {
DI::logger()->info('Empty key');
return false;
@ -802,17 +809,18 @@ class HTTPSignature
/**
* fetches a key for a given id and actor
*
* @param string $id
* @param string $actor
* @param string $id keyId of the signature block
* @param string $actor Actor URI
* @param ?boolean $update true = always update, false = never update, null = update when not found or outdated
*
* @return array with actor url and public key
* @throws \Exception
*/
private static function fetchKey(string $id, string $actor): array
private static function fetchKey(string $id, string $actor, ?bool $update = null): array
{
$url = (strpos($id, '#') ? substr($id, 0, strpos($id, '#')) : $id);
$profile = APContact::getByURL($url);
$profile = APContact::getByURL($url, $update);
if (!empty($profile)) {
DI::logger()->info('Taking key from id', ['id' => $id]);
return ['url' => $url, 'pubkey' => $profile['pubkey'], 'type' => $profile['type']];