bgme/mastodon
1
0
Fork 0
mirror of https://github.com/yingziwu/mastodon.git synced 2026-02-04 03:25:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 13

Fix SignatureParser accepting duplicate parameters in HTTP Signature header (#37375)

Browse source 
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
This commit is contained in:
Shlee 2026-01-08 17:47:53 +07:00 committed by Claire
parent 1eb8d1b967
commit adea0b7b31
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/lib/signature_parser.rb
View file

@ -25,9 +25,13 @@ class SignatureParser
# Use `skip` instead of `scan` as we only care about the subgroups
while scanner.skip(PARAM_RE)
key = scanner[:key]
# Detect a duplicate key
raise Mastodon::SignatureVerificationError, 'Error parsing signature with duplicate keys' if params.key?(key)
# This is not actually correct with regards to quoted pairs, but it's consistent
# with our previous implementation, and good enough in practice.
params[scanner[:key]] = scanner[:value] || scanner[:quoted_value][1...-1]
params[key] = scanner[:value] || scanner[:quoted_value][1...-1]
scanner.skip(/\s*/)
return params if scanner.eos?