New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Mastodon not correctly processing HTTP Signatures with query strings #28476
Fix Mastodon not correctly processing HTTP Signatures with query strings #28476
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #28476 +/- ##
==========================================
- Coverage 84.59% 84.58% -0.02%
==========================================
Files 1039 1039
Lines 28240 28254 +14
Branches 4550 4556 +6
==========================================
+ Hits 23891 23900 +9
- Misses 3197 3202 +5
Partials 1152 1152 ☔ View full report in Codecov by Sentry. |
I saw where #28443 got merged. Is this PR now where it could be tested independently? |
#28443 was a refactor of the existing tests. This PR changes the behaviour, and adds more tests for the query string cases |
Understood, just wanted to check it wasn't waiting/dependent on any other changes. |
In #18474 @nachtjasmin mentioned a change in behavior of 401s related to GoToSocial interaction, but 5 days into this patch and I've seen no change continued accumulation of dead jobs:
|
As written in the PR's description, this PR only handles incoming requests in addition to the previous broken signatures, it does not use correct outgoing requests, but maybe that could be changed. |
8b4d40a
to
a20eda2
Compare
Understood. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, made one minor comment to make it easier when deciding when to remove the old behaviour.
a20eda2
to
833289e
Compare
This PR doesn't actually make use of the new I'll make a PR that'll deploy a fix described along the lines of superseriousbusiness/gotosocial#894 (comment) |
…ery strings (mastodon#28476)" This reverts commit 59ad2cb.
…ery strings (mastodon#28476)" This reverts commit 59ad2cb.
…ery strings (mastodon#28476)" This reverts commit 59ad2cb.
Revival of #18474 (GitHub can be confusing…)
cf. https://honk.tedunangst.com/u/tedu/h/1mZMtCVQ1clC7MfBg9
When signing or verifying signatures for requests with query strings, Mastodon incorrectly builds the
request-target
pseudo-header. Indeed, it does not include the query string, while the HTTP Signatures draft states:The
:path
pseudo-header is defined as:Because this is the first time in years that I have seen someone raise this issue, I think we can assume other implementations got it wrong too (or did not bother reporting it and worked around it instead). Therefore, changing to the correct version of this draft will likely cause compatibility issues. That's why for the time being, this PR only handles incoming requests in addition to the previous broken signatures.
On a side note, the drafts we are currently implementing have been superseded by more recent drafts, which we should probably move to eventually. However, I would like #15605 to be merged before working on that.