Improve the subscription process signature verification #75

Merged
merged 1 commit into from Mar 25, 2014

Conversation

Projects
None yet
3 participants
Contributor

toctan commented Jun 8, 2013

Instagram.process_subscription(params[:body], signature: params["X-Hub-Signature"]) do |handler|
  # hi
end

With the above code, if a malicious request does not have a X-Hub-Signature header, the signature verification would be bypassed.

Contributor

yaauie commented Jun 26, 2013

I believe the code in the bug's description should be:

-Instagram.process_subscription(params[:body], params["X-Hub-Signature"]) do |handler|
+Instagram.process_subscription(params[:body], signature: params["X-Hub-Signature"]) do |handler|
   # hi
 end

Otherwise this makes sense 👍

Contributor

toctan commented Jun 26, 2013

@yaauie Yeah, you'er right, thanks!

@heatonjb heatonjb merged commit 71be08a into facebookarchive:master Mar 25, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment