Date check added for HTTP signatures

author Michael <heluecht@pirati.ca>

Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)

committer Michael <heluecht@pirati.ca>

Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)
author Michael <heluecht@pirati.ca>
Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)
committer Michael <heluecht@pirati.ca>
Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)
diff --git a/src/Util/HTTPSignature.php b/src/Util/HTTPSignature.php

index 2b9e396241755f5ba07ee83116a1c569f0f0774d..32785a60aac5b913826ef9568b5b530ee53b03db 100644 (file)
--- a/src/Util/HTTPSignature.php
+++ b/src/Util/HTTPSignature.php
@@ -459,7 +459,14 @@ class HTTPSignature
                         }
                 }
  
-               /// @todo Check if the signed date field is in an acceptable range
+               //  Check if the signed date field is in an acceptable range
+               if (in_array('date', $sig_block['headers'])) {
+                       $diff = abs(strtotime($headers['date']) - time());
+                       if ($diff > 300) {
+                               Logger::log("Header date '" . $headers['date'] . "' is with " . $diff . " seconds out of the 300 second frame. The signature is invalid.");
+                               return false;
+                       }
+               }
  
                 // Check the content-length when it is part of the signed data
                 if (in_array('content-length', $sig_block['headers'])) {
author	Michael <heluecht@pirati.ca>
	Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)
committer	Michael <heluecht@pirati.ca>
	Mon, 14 Jan 2019 16:03:13 +0000 (16:03 +0000)