From 2f2184cf12d12a30b713d827e08fb1a4c6f41530 Mon Sep 17 00:00:00 2001 From: Michael Date: Mon, 14 Jan 2019 16:03:13 +0000 Subject: [PATCH] Date check added for HTTP signatures --- src/Util/HTTPSignature.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php index 2b9e396241..32785a60aa 100644 --- a/src/Util/HTTPSignature.php +++ b/src/Util/HTTPSignature.php @@ -459,7 +459,14 @@ class HTTPSignature } } - /// @todo Check if the signed date field is in an acceptable range + // Check if the signed date field is in an acceptable range + if (in_array('date', $sig_block['headers'])) { + $diff = abs(strtotime($headers['date']) - time()); + if ($diff > 300) { + Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid."); + return false; + } + } // Check the content-length when it is part of the signed data if (in_array('content-length', $sig_block['headers'])) {