Date check added for HTTP signatures

[friendica.git] / src / Util / HTTPSignature.php

diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php
index 2b9e396241755f5ba07ee83116a1c569f0f0774d..32785a60aac5b913826ef9568b5b530ee53b03db 100644 (file)
--- a/src/Util/HTTPSignature.php
+++ b/src/Util/HTTPSignature.php
@@ -459,7 +459,14 @@ class HTTPSignature
                        }
                }
 
-               /// @todo Check if the signed date field is in an acceptable range
+               //  Check if the signed date field is in an acceptable range
+               if (in_array('date', $sig_block['headers'])) {
+                       $diff = abs(strtotime($headers['date']) - time());
+                       if ($diff > 300) {
+                               Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid.");
+                               return false;
+                       }
+               }
 
                // Check the content-length when it is part of the signed data
                if (in_array('content-length', $sig_block['headers'])) {