From adea0b7b31995a9eb7f804440a67e6906de08bfb Mon Sep 17 00:00:00 2001
From: Shlee <github@shl.ee>
Date: Thu, 8 Jan 2026 17:47:53 +0700
Subject: [PATCH] Fix SignatureParser accepting duplicate parameters in HTTP
 Signature header (#37375)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>
---
 app/lib/signature_parser.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/lib/signature_parser.rb b/app/lib/signature_parser.rb
index 7a75080d9..00a45b825 100644
--- a/app/lib/signature_parser.rb
+++ b/app/lib/signature_parser.rb
@@ -25,9 +25,13 @@ class SignatureParser
 
     # Use `skip` instead of `scan` as we only care about the subgroups
     while scanner.skip(PARAM_RE)
+      key = scanner[:key]
+      # Detect a duplicate key
+      raise Mastodon::SignatureVerificationError, 'Error parsing signature with duplicate keys' if params.key?(key)
+
       # This is not actually correct with regards to quoted pairs, but it's consistent
       # with our previous implementation, and good enough in practice.
-      params[scanner[:key]] = scanner[:value] || scanner[:quoted_value][1...-1]
+      params[key] = scanner[:value] || scanner[:quoted_value][1...-1]
 
       scanner.skip(/\s*/)
       return params if scanner.eos?