Tweak signature verification #15069
Tweak signature verification #15069
Conversation
This may help other implementors debug their implementation.
The only POST requests processed by Mastodon need objects/actors (including their host) to be explicitly mentioned in the request's body, so replaying a legitimate request to another host should not be a security issue.
ClearlyClaire
force-pushed
the
fixes/signature-verification-tweaks
branch
from
9a91a2e
to
ca567c7
Compare
Not sure why this? If I understand correctly, without |
Yes, that is an issue with GET. But as far as POST is concerned, we won't do anything if we haven't received an Activity targeting one of our actors, so something targeting another fediverse instance would be irrelevant to us and we would discard it even if it were replayed.
#15016 (comment) but I don't know if more are affected. Either way, I'm not opposed to drop this PR, since we already have a release with that restriction anyway |
ClearlyClaire
force-pushed
the
fixes/signature-verification-tweaks
branch
from
14223c7
to
175b9a6
Compare
|
Changed it again to accept actually valid |
* Add more specific error message when request body digest is invalid This may help other implementors debug their implementation. * Relax Host parameter requirement to GET requests The only POST requests processed by Mastodon need objects/actors (including their host) to be explicitly mentioned in the request's body, so replaying a legitimate request to another host should not be a security issue. * Support Digest headers using multiple algorithms or lowercase alogirthm names
Hostheader to be signed for POST requests, to restore compatibility with software that did not sign it (I'm not sure there is any software that was broken by this single change)