mirror
/
hometown
mirror of https://github.com/hometown-fork/hometown.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375) 

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
pull/1371/head
Shlee 4 months ago committed by Misty De Meo
parent
7731123e1c
commit
920820b311
No known key found for this signature in database
GPG Key ID: 76CF846A2F674B2C
1 changed files with 5 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      app/lib/signature_parser.rb

6
app/lib/signature_parser.rb
Unescape View File

@ -25,9 +25,13 @@ class SignatureParser
# Use `skip` instead of `scan` as we only care about the subgroups
while scanner.skip(PARAM_RE)
key = scanner[:key]
# Detect a duplicate key
raise Mastodon::SignatureVerificationError, 'Error parsing signature with duplicate keys' if params.key?(key)
# This is not actually correct with regards to quoted pairs, but it's consistent
# with our previous implementation, and good enough in practice.
params[scanner[:key]] = scanner[:value] || scanner[:quoted_value][1...-1]
params[key] = scanner[:value] || scanner[:quoted_value][1...-1]
scanner.skip(/\s*/)
return params if scanner.eos?

Write Preview
Loading…
Cancel
Save