Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-31 11:05:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: update signature parsing logic to handle values with equal signs in them, closes #12538

Browse Source
This commit is contained in:
Julian Lam
2024-04-28 23:25:46 -04:00
parent 4d777552d8
commit 596a5e4ba2
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/middleware/activitypub.js
View File

@@ -76,7 +76,10 @@ middleware.validate = async function (req, res, next) {
await activitypub.actors.assert(actor); await activitypub.actors.assert(actor);
const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id'); const compare = await db.getObjectField(`userRemote:${actor}:keys`, 'id');
const { signature } = req.headers; const { signature } = req.headers;
const keyId = new Map(signature.split(',').filter(Boolean).map(v => v.split('='))).get('keyId'); const keyId = new Map(signature.split(',').filter(Boolean).map((v) => {
const index = v.indexOf('=');
return [v.substring(0, index), v.slice(index + 1)];
})).get('keyId');
if (`"${compare}"` !== keyId) { if (`"${compare}"` !== keyId) {
winston.verbose('[middleware/activitypub] Key ownership cross-check failed.'); winston.verbose('[middleware/activitypub] Key ownership cross-check failed.');
return res.sendStatus(403); return res.sendStatus(403);