mirror of
https://codeberg.org/streams/streams.git
synced 2024-09-19 23:35:12 +00:00
reduce susceptibility to bleichenberger attack
This commit is contained in:
parent
1f916adfb8
commit
d4ea56a77e
4 changed files with 21 additions and 8 deletions
1
boot.php
1
boot.php
|
@ -1176,6 +1176,7 @@ function check_config(&$a) {
|
|||
// our URL changed. Do something.
|
||||
|
||||
$oldurl = hex2bin($saved);
|
||||
logger('Baseurl changed!');
|
||||
|
||||
$oldhost = substr($oldurl,strpos($oldurl,'//')+2);
|
||||
$host = substr(z_root(),strpos(z_root(),'//')+2);
|
||||
|
|
|
@ -1312,7 +1312,7 @@ function get_plink($item) {
|
|||
$a = get_app();
|
||||
if (x($item,'plink') && ($item['item_private'] != 1)) {
|
||||
return array(
|
||||
'href' => $item['plink'],
|
||||
'href' => zid($item['plink']),
|
||||
'title' => t('link to source'),
|
||||
);
|
||||
}
|
||||
|
|
24
mod/post.php
24
mod/post.php
|
@ -174,18 +174,30 @@ function post_post(&$a) {
|
|||
if(array_key_exists('iv',$data)) {
|
||||
$data = aes_unencapsulate($data,get_config('system','prvkey'));
|
||||
logger('mod_zot: decrypt1: ' . $data, LOGGER_DATA);
|
||||
if(! $data) {
|
||||
$ret['message'] = 'Decryption failed.';
|
||||
json_return_and_die($ret);
|
||||
}
|
||||
|
||||
// susceptible to Bleichenberger attack
|
||||
// if(! $data) {
|
||||
// $ret['message'] = 'Decryption failed.';
|
||||
// json_return_and_die($ret);
|
||||
// }
|
||||
|
||||
$data = json_decode($data,true);
|
||||
|
||||
}
|
||||
|
||||
if(! $data) {
|
||||
$ret['message'] = 'No data received.';
|
||||
json_return_and_die($ret);
|
||||
|
||||
// possible Bleichenberger attack, just treat it as a
|
||||
// message we have no handler for. It should fail a bit
|
||||
// further along with "no hub". Our public key is public
|
||||
// knowledge. There's no reason why anybody should get the
|
||||
// encryption wrong unless they're fishing or hacking. If
|
||||
// they're developing and made a goof, this can be discovered
|
||||
// in the logs of the destination site. If they're fishing or
|
||||
// hacking, the bottom line is we can't verify their hub.
|
||||
// That's all we're going to tell them.
|
||||
|
||||
$data = array('type' => 'bogus');
|
||||
}
|
||||
|
||||
logger('mod_zot: decoded data: ' . print_r($data,true), LOGGER_DATA);
|
||||
|
|
|
@ -1 +1 @@
|
|||
2013-09-23.445
|
||||
2013-09-24.446
|
||||
|
|
Loading…
Reference in a new issue