diff options
author | Maxence Lange <maxence@artificial-owl.com> | 2021-03-19 10:34:52 -0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-19 10:34:52 -0100 |
commit | 829794ed39ee8ad88fcf3cfba88e1535a321d3e6 (patch) | |
tree | 8598887733babbe9f597b4bfb74ebfcc0105295f | |
parent | b2b285168b73d32540e24bf9733fad0d3b1c9b7a (diff) | |
parent | 250be300bd77f77b3a4898753d1d991c04103267 (diff) |
Merge pull request #1227 from nextcloud/fix/noid/check-length-and-digest
check content-length and digest
-rw-r--r-- | lib/Service/SignatureService.php | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/lib/Service/SignatureService.php b/lib/Service/SignatureService.php index f76ab2ad..2b1c94aa 100644 --- a/lib/Service/SignatureService.php +++ b/lib/Service/SignatureService.php @@ -256,6 +256,14 @@ class SignatureService { throw new SignatureException('object is too old'); } + if (strlen($data) !== (int)$request->getHeader('content-length')) { + throw new SignatureException('issue with content-length'); + } + + if ($this->generateDigest($data) !== $request->getHeader('digest')) { + throw new SignatureException('issue with digest'); + } + try { return $this->checkRequestSignature($request, $data); } catch (RequestContentException $e) { @@ -379,9 +387,6 @@ class SignatureService { $signed = base64_decode($sign['signature']); $estimated = $this->generateEstimatedSignature($headers, $request); - // TODO: check digest - // $this->generateDigest($data); - try { $publicKey = $this->retrieveKey($keyId); $this->checkRequestSignatureUsingPublicKey($publicKey, $sign, $estimated, $signed); @@ -422,10 +427,15 @@ class SignatureService { * * @return string * @throws SocialAppConfigException + * @throws SignatureException */ private function generateEstimatedSignature(string $headers, IRequest $request): string { $keys = explode(' ', $headers); + if (!empty(array_diff(['(request-target)', 'date', 'digest', 'host'], $keys))) { + throw new SignatureException('missing elements in \'headers\''); + } + $target = ''; try { $target = strtolower($request->getMethod()) . " " . $request->getRequestUri(); |