aboutsummaryrefslogtreecommitdiff
path: root/engine
diff options
context:
space:
mode:
authorcash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544>2009-11-12 12:43:26 +0000
committercash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544>2009-11-12 12:43:26 +0000
commit7e038ec3fed45caff219636a45bcc8b97d6407d7 (patch)
tree62a9ac6973b16ba663a459fc1ec55deeba2bc479 /engine
parent4f2ae37148b0a4489ea4ed9b5e62d0307450560a (diff)
downloadelgg-7e038ec3fed45caff219636a45bcc8b97d6407d7.tar.gz
elgg-7e038ec3fed45caff219636a45bcc8b97d6407d7.tar.bz2
added a nonce to hmac signature and header so same call in same second does not get caught by replay check
git-svn-id: http://code.elgg.org/elgg/trunk@3672 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r--engine/lib/api.php14
1 files changed, 13 insertions, 1 deletions
diff --git a/engine/lib/api.php b/engine/lib/api.php
index 91c3743a3..b3da52c5a 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -716,6 +716,7 @@ function api_auth_hmac() {
// calculate expected HMAC
$hmac = calculate_hmac( $api_header->hmac_algo,
$api_header->time,
+ $api_header->nonce,
$api_header->api_key,
$secret_key,
$query,
@@ -787,6 +788,11 @@ function get_and_validate_api_headers() {
throw new APIException(elgg_echo('APIException:TemporalDrift'));
}
+ $result->nonce = $_SERVER['HTTP_X_ELGG_NONCE'];
+ if ($result->nonce == "") {
+ throw new APIException(elgg_echo('APIException:MissingNonce'));
+ }
+
if ($result->method == "POST") {
$result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH'];
if ($result->posthash == "") {
@@ -844,7 +850,7 @@ function map_api_hash($algo) {
* @param $post_hash string Optional sha1 hash of the post data.
* @return string The HMAC string
*/
-function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $post_hash = "") {
+function calculate_hmac($algo, $time, $nonce, $api_key, $secret_key, $get_variables, $post_hash = "") {
global $CONFIG;
elgg_log("HMAC Parts: $algo, $time, $api_key, $secret_key, $get_variables, $post_hash");
@@ -852,6 +858,7 @@ function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $po
$ctx = hash_init(map_api_hash($algo), HASH_HMAC, $secret_key);
hash_update($ctx, trim($time));
+ hash_update($ctx, trim($nonce));
hash_update($ctx, trim($api_key));
hash_update($ctx, trim($get_variables));
if (trim($post_hash)!="") {
@@ -1163,6 +1170,9 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da
// Time
$time = time();
+
+ // Nonce
+ $nonce = uniqid('');
// URL encode all the parameters
foreach ($call as $k => $v){
@@ -1183,9 +1193,11 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da
if ((isset($keys['public'])) && (isset($keys['private']))) {
$headers['X-Elgg-apikey'] = $keys['public'];
$headers['X-Elgg-time'] = $time;
+ $headers['X-Elgg-nonce'] = $nonce;
$headers['X-Elgg-hmac-algo'] = 'sha1';
$headers['X-Elgg-hmac'] = calculate_hmac('sha1',
$time,
+ $nonce,
$keys['public'],
$keys['private'],
$params,