Leahnaya/mastodon
1
0
Fork 0
mirror of https://github.com/mastodon/mastodon.git synced 2026-03-21 18:05:23 -05:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375)

Browse Source 
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
This commit is contained in:
Shlee 2026-01-08 17:47:53 +07:00 committed by Claire
parent 444a360c11
commit eff2d57cdb
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/lib/signature_parser.rb
View File

@ -25,9 +25,13 @@ class SignatureParser
# Use `skip` instead of `scan` as we only care about the subgroups
while scanner.skip(PARAM_RE)
key = scanner[:key]
# Detect a duplicate key
raise Mastodon::SignatureVerificationError, 'Error parsing signature with duplicate keys' if params.key?(key)
# This is not actually correct with regards to quoted pairs, but it's consistent
# with our previous implementation, and good enough in practice.
params[scanner[:key]] = scanner[:value] || scanner[:quoted_value][1...-1]
params[key] = scanner[:value] || scanner[:quoted_value][1...-1]
scanner.skip(/\s*/)
return params if scanner.eos?