tdsds.com/gitea
tdsds.com
/
gitea
mirror of https://github.com/go-gitea/gitea
1
1
Fork 0
Code Releases Activity

If httpsig verification fails, fix Host header and try again 

This fixes a very rare bug when Gitea and another AP server (confirmed to happen with Mastodon) are running on the same machine, Gitea fails to verify incoming HTTP signatures. This is because the other AP server creates the sig with the public Gitea domain as the Host. However, when Gitea receives the request, the Host header is instead localhost, so the signature verification fails. Manually changing the host header to the correct value and trying the verification again fixes the bug.
This commit is contained in:
Anthony Wang 2022-06-14 16:23:08 -05:00
parent a3120079a5
commit f53e46c721
No known key found for this signature in database
GPG Key ID: BC96B00AEC5F2D76
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
routers/api/v1/activitypub/reqsignature.go
View File

@ -90,6 +90,16 @@ func verifyHTTPSignatures(ctx *gitea_context.APIContext) (authenticated bool, er
// 3. Verify the other actor's key
algo := httpsig.Algorithm(setting.Federation.Algorithms[0])
authenticated = v.Verify(pubKey, algo) == nil
if authenticated {
return
}
// 4. When Gitea and the other ActivityPub server are running on the same machine, the Host header is sometimes incorrect
r.Header["Host"] = []string{setting.Domain}
v, err = httpsig.NewVerifier(r)
if err != nil {
return
}
authenticated = v.Verify(pubKey, algo) == nil
return
}