keith/barkey
1
0
Fork 0
mirror of https://codeberg.org/yeentown/barkey synced 2024-11-21 17:55:11 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name

Browse source
This commit is contained in:
Laura Hausmann 2024-10-24 04:40:33 +02:00 committed by Julia Johannesen
parent 174dfb83d0
commit 9ab25ede28
No known key found for this signature in database
GPG key ID: 4A1377AF3E7FBC46
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
packages/backend/src/server/ActivityPubServerService.ts
View file

@ -152,7 +152,7 @@ export class ActivityPubServerService {
let signature; let signature;
try { try {
signature = httpSignature.parseRequest(request.raw, { 'headers': [] }); signature = httpSignature.parseRequest(request.raw, { 'headers': ['(request-target)', 'host', 'date'], authorizationHeaderName: 'signature' });
} catch (e) { } catch (e) {
// not signed, or malformed signature: refuse // not signed, or malformed signature: refuse
this.authlogger.warn(`${request.id} ${request.url} not signed, or malformed signature: refuse`); this.authlogger.warn(`${request.id} ${request.url} not signed, or malformed signature: refuse`);
@ -229,7 +229,7 @@ export class ActivityPubServerService {
let signature; let signature;
try { try {
signature = httpSignature.parseRequest(request.raw, { 'headers': [] }); signature = httpSignature.parseRequest(request.raw, { 'headers': ['(request-target)', 'digest', 'host', 'date'], authorizationHeaderName: 'signature' });
} catch (e) { } catch (e) {
reply.code(401); reply.code(401);
return; return;