Be more lenient with timestamp checking in signatures
Terence Eden
rodzic
d88addacb0
commit
d829c201f2
11
index.php
11
index.php
|
|
@ -1484,8 +1484,8 @@ HTML;
|
|||
// Ensure the header keys match the format expected by the signature
|
||||
$headers = array_change_key_case( $headers, CASE_LOWER );
|
||||
|
||||
// Validate the timestamp is within ±30 seconds
|
||||
// 7.2.4 of https://datatracker.ietf.org/doc/rfc9421/ says compare the Date header and the published date of the message
|
||||
// Validate the timestamp
|
||||
// 7.2.4 of https://datatracker.ietf.org/doc/rfc9421/
|
||||
if ( !isset( $headers["date"] ) ) {
|
||||
// No date set
|
||||
// Filename for the log
|
||||
|
|
@ -1502,10 +1502,11 @@ HTML;
|
|||
$headerDatetime = DateTime::createFromFormat('D, d M Y H:i:s T', $dateHeader);
|
||||
$currentDatetime = new DateTime();
|
||||
|
||||
// First, check if the message was sent more than 30 seconds ago
|
||||
// First, check if the message was sent no more than ± 1 hour
|
||||
// https://github.com/mastodon/mastodon/blob/82c2af0356ff888e9665b5b08fda58c7722be637/app/controllers/concerns/signature_verification.rb#L11
|
||||
// Calculate the time difference in seconds
|
||||
$timeDifference = abs( $currentDatetime->getTimestamp() - $headerDatetime->getTimestamp() );
|
||||
if ( $timeDifference > 30 ) {
|
||||
if ( $timeDifference > 3600 ) {
|
||||
// Write a log detailing the error
|
||||
// Filename for the log
|
||||
$filename = "{$timestamp}.{$type}.Signature.Delay_Failure.txt";
|
||||
|
|
@ -1525,7 +1526,7 @@ HTML;
|
|||
$publishedDatetime = new DateTime($published);
|
||||
// Calculate the time difference in seconds
|
||||
$timeDifference = abs( $publishedDatetime->getTimestamp() - $headerDatetime->getTimestamp() );
|
||||
if ( $timeDifference > 30 ) {
|
||||
if ( $timeDifference > 60 ) {
|
||||
// Write a log detailing the error
|
||||
// Filename for the log
|
||||
$filename = "{$timestamp}.{$type}.Signature.Time_Failure.txt";
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue