Mercurial > libervia-backend
diff sat/plugins/plugin_comp_ap_gateway/http_server.py @ 3884:cea52400623d
component AP gateway: work around encoding bug in Mastodon:
Mastodon in wrongly unquoting URL path in `(request-target)`, and thus Libervia was doing
the same to check signature. However that doesn't work with Pleroma which is using the
path value used in the request (percent-encoded), and thus Pleroma signature were
rejected.
To work around that, signature is first checked without unquoting, and if this fails a new
check is done with unquoting.
Bug has been reported at https://github.com/mastodon/mastodon/issues/18871
rel 371
author | Goffi <goffi@goffi.org> |
---|---|
date | Wed, 31 Aug 2022 17:07:03 +0200 |
parents | 1bd44367337d |
children | aa7197b67c26 |
line wrap: on
line diff
--- a/sat/plugins/plugin_comp_ap_gateway/http_server.py Wed Aug 31 17:07:03 2022 +0200 +++ b/sat/plugins/plugin_comp_ap_gateway/http_server.py Wed Aug 31 17:07:03 2022 +0200 @@ -980,7 +980,7 @@ for to_sign in signed_headers: if to_sign == "(request-target)": method = request.method.decode().lower() - uri = parse.unquote(request.uri.decode()) + uri = request.uri.decode() headers[to_sign] = f"{method} /{uri.lstrip('/')}" elif to_sign in ("(created)", "(expires)"): if algorithm != HS2019: @@ -1070,11 +1070,24 @@ if created > limit_ts: raise exceptions.EncryptionError("Signature has expired") - return await self.apg.checkSignature( - sign_data["signature"], - key_id, - headers - ) + try: + return await self.apg.checkSignature( + sign_data["signature"], + key_id, + headers + ) + except exceptions.EncryptionError: + method, url = headers["(request-target)"].rsplit(' ', 1) + headers["(request-target)"] = f"{method} {parse.unquote(url)}" + log.debug( + "Using workaround for (request-target) encoding bug in signature, " + "see https://github.com/mastodon/mastodon/issues/18871" + ) + return await self.apg.checkSignature( + sign_data["signature"], + key_id, + headers + ) def render(self, request): request.setHeader("server", VERSION)