From d829c201f27fe8daa0bde8974fa5faff7144c762 Mon Sep 17 00:00:00 2001 From: Terence Eden Date: Sun, 17 Mar 2024 20:53:30 +0000 Subject: [PATCH] Be more lenient with timestamp checking in signatures --- index.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/index.php b/index.php index a996d60..18c8b13 100644 --- a/index.php +++ b/index.php @@ -1484,8 +1484,8 @@ HTML; // Ensure the header keys match the format expected by the signature $headers = array_change_key_case( $headers, CASE_LOWER ); - // Validate the timestamp is within ±30 seconds - // 7.2.4 of https://datatracker.ietf.org/doc/rfc9421/ says compare the Date header and the published date of the message + // Validate the timestamp + // 7.2.4 of https://datatracker.ietf.org/doc/rfc9421/ if ( !isset( $headers["date"] ) ) { // No date set // Filename for the log @@ -1502,10 +1502,11 @@ HTML; $headerDatetime = DateTime::createFromFormat('D, d M Y H:i:s T', $dateHeader); $currentDatetime = new DateTime(); - // First, check if the message was sent more than 30 seconds ago + // First, check if the message was sent no more than ± 1 hour + // https://github.com/mastodon/mastodon/blob/82c2af0356ff888e9665b5b08fda58c7722be637/app/controllers/concerns/signature_verification.rb#L11 // Calculate the time difference in seconds $timeDifference = abs( $currentDatetime->getTimestamp() - $headerDatetime->getTimestamp() ); - if ( $timeDifference > 30 ) { + if ( $timeDifference > 3600 ) { // Write a log detailing the error // Filename for the log $filename = "{$timestamp}.{$type}.Signature.Delay_Failure.txt"; @@ -1525,7 +1526,7 @@ HTML; $publishedDatetime = new DateTime($published); // Calculate the time difference in seconds $timeDifference = abs( $publishedDatetime->getTimestamp() - $headerDatetime->getTimestamp() ); - if ( $timeDifference > 30 ) { + if ( $timeDifference > 60 ) { // Write a log detailing the error // Filename for the log $filename = "{$timestamp}.{$type}.Signature.Time_Failure.txt";