Skip to content

Commit

Permalink
Merge branch 'main' into travis/fix-signing-key-validity
Browse files Browse the repository at this point in the history
  • Loading branch information
turt2live authored Sep 4, 2024
2 parents fb6904a + 7d4e9d5 commit 4703a06
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 35 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
* Return a 404 instead of 500 when clients access media which is frozen.
* Ensure the request parameters are correctly set for authenticated media client requests.
* Ensure remote signing keys expire after at most 7 days.
* Fixed parsing of `Authorization` headers for federated servers.

## [1.3.7] - July 30, 2024

Expand Down
47 changes: 12 additions & 35 deletions util/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,44 +58,21 @@ func GetXMatrixAuth(headers []string) ([]XMatrixAuth, error) {

paramCsv := h[len("X-Matrix "):]
params := make(map[string]string)
isKey := true
keyName := ""
keyValue := ""
escape := false
for _, c := range paramCsv {
if c == ',' && isKey {
params[strings.TrimSpace(strings.ToLower(keyName))] = keyValue
keyName = ""
keyValue = ""
continue
}
if c == '=' {
isKey = false
continue

pairs := strings.Split(paramCsv, ",")
for _, pair := range pairs {
csv := strings.SplitN(pair, "=", 2)
if len(csv) != 2 {
return nil, fmt.Errorf("invalid auth param pair: %s", pair)
}

if isKey {
keyName = fmt.Sprintf("%s%s", keyName, string(c))
} else {
if c == '\\' && !escape {
escape = true
continue
}
if c == '"' && !escape {
escape = false
if len(keyValue) > 0 {
isKey = true
}
continue
}
if escape {
escape = false
}
keyValue = fmt.Sprintf("%s%s", keyValue, string(c))
key := strings.TrimSpace(strings.ToLower(csv[0]))
value := strings.Trim(strings.TrimSpace(csv[1]), "\"")
if _, ok := params[key]; ok {
return nil, fmt.Errorf("duplicate auth param: %s", key)
}
}
if len(keyName) > 0 && isKey {
params[strings.TrimSpace(strings.ToLower(keyName))] = keyValue

params[key] = value
}

sig, err := DecodeUnpaddedBase64String(params["sig"])
Expand Down

0 comments on commit 4703a06

Please sign in to comment.