X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FHTTPSignature.php;h=d5e1732c08635243ca71abd08888dc078ebb593e;hb=cc8a6c85ae939c0fc9258d7a11276bc7c2e59bc0;hp=ba44bcc80b5416786a4e6dea932ea92eedeeb1d3;hpb=a876c208504af3ee801689886ec8cab8f3eeff00;p=friendica.git

diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php
index ba44bcc80b..d5e1732c08 100644
--- a/src/Util/HTTPSignature.php
+++ b/src/Util/HTTPSignature.php
@@ -488,8 +488,10 @@ class HTTPSignature
 			return false;
 		}
 
+		$hasGoodSignedContent = false;
+
 		// Check the digest when it is part of the signed data
-		if (in_array('digest', $sig_block['headers'])) {
+		if (!empty($content) && in_array('digest', $sig_block['headers'])) {
 			$digest = explode('=', $headers['digest'], 2);
 			if ($digest[0] === 'SHA-256') {
 				$hashalg = 'sha256';
@@ -503,6 +505,8 @@ class HTTPSignature
 			if (!empty($hashalg) && base64_encode(hash($hashalg, $content, true)) != $digest[1]) {
 				return false;
 			}
+
+			$hasGoodSignedContent = true;
 		}
 
 		//  Check if the signed date field is in an acceptable range
@@ -512,6 +516,7 @@ class HTTPSignature
 				Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid.");
 				return false;
 			}
+			$hasGoodSignedContent = true;
 		}
 
 		// Check the content-length when it is part of the signed data
@@ -521,6 +526,12 @@ class HTTPSignature
 			}
 		}
 
+		// Ensure that the authentication had been done with some content
+		// Without this check someone could authenticate with fakeable data
+		if (!$hasGoodSignedContent) {
+			return false;
+		}
+
 		return $key['url'];
 	}