Do not sign useless User-Agent or Accept-Encoding headers (#8533)

Fix #8080
2018-08-31 04:22:52 +02:00
parent 18eb565755
commit e3764bdb52
1 changed files with 3 additions and 3 deletions
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@@ -73,15 +73,15 @@ class Request
    algorithm = 'rsa-sha256'
    signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))

-    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\""
+    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
  end

  def signed_string
-    @headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
+    signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
  end

  def signed_headers
-    @headers.keys.join(' ').downcase
+    @headers.without('User-Agent', 'Accept-Encoding')
  end

  def key_id