From e5597399b625df478777bf5689db317f22af90a9 Mon Sep 17 00:00:00 2001 From: William Pitcock Date: Fri, 10 Aug 2018 20:53:01 -0500 Subject: [PATCH] harden AP side a bit --- viera/actor.py | 5 ++++- viera/http_signatures.py | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/viera/actor.py b/viera/actor.py index 42193e8..c1355cd 100644 --- a/viera/actor.py +++ b/viera/actor.py @@ -118,7 +118,10 @@ processors = { async def inbox(request): - data = await request.json() + data = await request.json(content_type=None) + + if 'actor' not in data or not request['validated']: + raise aiohttp.web.HTTPUnauthorized(body='access denied', content_type='text/plain') actor = await fetch_actor(data["actor"]) actor_uri = 'https://{}/actor'.format(request.host) diff --git a/viera/http_signatures.py b/viera/http_signatures.py index faf98f3..0cba6d7 100644 --- a/viera/http_signatures.py +++ b/viera/http_signatures.py @@ -91,14 +91,18 @@ async def validate(actor, request): h.update(sigstring.encode('ascii')) result = pkcs.verify(h, sigdata) + request['validated'] = result + logging.debug('validates? %r', result) return result async def http_signatures_middleware(app, handler): async def http_signatures_handler(request): + request['validated'] = False + if 'signature' in request.headers: - data = await request.json() + data = await request.json(content_type=None) if 'actor' not in data: raise aiohttp.web.HTTPUnauthorized(body='signature check failed, no actor in message')