diff options
author | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-12 12:43:26 +0000 |
---|---|---|
committer | cash <cash@36083f99-b078-4883-b0ff-0f9b5a30f544> | 2009-11-12 12:43:26 +0000 |
commit | 7e038ec3fed45caff219636a45bcc8b97d6407d7 (patch) | |
tree | 62a9ac6973b16ba663a459fc1ec55deeba2bc479 /engine | |
parent | 4f2ae37148b0a4489ea4ed9b5e62d0307450560a (diff) | |
download | elgg-7e038ec3fed45caff219636a45bcc8b97d6407d7.tar.gz elgg-7e038ec3fed45caff219636a45bcc8b97d6407d7.tar.bz2 |
added a nonce to hmac signature and header so same call in same second does not get caught by replay check
git-svn-id: http://code.elgg.org/elgg/trunk@3672 36083f99-b078-4883-b0ff-0f9b5a30f544
Diffstat (limited to 'engine')
-rw-r--r-- | engine/lib/api.php | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/engine/lib/api.php b/engine/lib/api.php index 91c3743a3..b3da52c5a 100644 --- a/engine/lib/api.php +++ b/engine/lib/api.php @@ -716,6 +716,7 @@ function api_auth_hmac() { // calculate expected HMAC $hmac = calculate_hmac( $api_header->hmac_algo, $api_header->time, + $api_header->nonce, $api_header->api_key, $secret_key, $query, @@ -787,6 +788,11 @@ function get_and_validate_api_headers() { throw new APIException(elgg_echo('APIException:TemporalDrift')); } + $result->nonce = $_SERVER['HTTP_X_ELGG_NONCE']; + if ($result->nonce == "") { + throw new APIException(elgg_echo('APIException:MissingNonce')); + } + if ($result->method == "POST") { $result->posthash = $_SERVER['HTTP_X_ELGG_POSTHASH']; if ($result->posthash == "") { @@ -844,7 +850,7 @@ function map_api_hash($algo) { * @param $post_hash string Optional sha1 hash of the post data. * @return string The HMAC string */ -function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $post_hash = "") { +function calculate_hmac($algo, $time, $nonce, $api_key, $secret_key, $get_variables, $post_hash = "") { global $CONFIG; elgg_log("HMAC Parts: $algo, $time, $api_key, $secret_key, $get_variables, $post_hash"); @@ -852,6 +858,7 @@ function calculate_hmac($algo, $time, $api_key, $secret_key, $get_variables, $po $ctx = hash_init(map_api_hash($algo), HASH_HMAC, $secret_key); hash_update($ctx, trim($time)); + hash_update($ctx, trim($nonce)); hash_update($ctx, trim($api_key)); hash_update($ctx, trim($get_variables)); if (trim($post_hash)!="") { @@ -1163,6 +1170,9 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da // Time $time = time(); + + // Nonce + $nonce = uniqid(''); // URL encode all the parameters foreach ($call as $k => $v){ @@ -1183,9 +1193,11 @@ function send_api_call(array $keys, $url, array $call, $method = 'GET', $post_da if ((isset($keys['public'])) && (isset($keys['private']))) { $headers['X-Elgg-apikey'] = $keys['public']; $headers['X-Elgg-time'] = $time; + $headers['X-Elgg-nonce'] = $nonce; $headers['X-Elgg-hmac-algo'] = 'sha1'; $headers['X-Elgg-hmac'] = calculate_hmac('sha1', $time, + $nonce, $keys['public'], $keys['private'], $params, |