From d8c4c0627a6ed343a97c42e26a387e03f33b462a Mon Sep 17 00:00:00 2001 From: Sam Whited Date: Wed, 31 Aug 2016 09:24:15 -0500 Subject: [PATCH] SHA256 hash the kid claim before fetching tokens --- prosody-plugins/mod_auth_token.lua | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/prosody-plugins/mod_auth_token.lua b/prosody-plugins/mod_auth_token.lua index 077a1b840..4aa14d137 100644 --- a/prosody-plugins/mod_auth_token.lua +++ b/prosody-plugins/mod_auth_token.lua @@ -9,6 +9,7 @@ local http = require "net.http"; local json = require "cjson"; local new_sasl = require "util.sasl".new; local sasl = require "util.sasl"; +local sha256 = require "util.hashes".sha256; local timer = require "util.timer"; local token_util = module:require "token/util"; @@ -96,10 +97,15 @@ function get_public_key(keyId) done(); end module:log("debug", "Fetching public key from: "..asapKeyServer..keyId); - local request = http.request(asapKeyServer..keyId, { + + -- We hash the key ID to work around some legacy behavior in the original + -- deployment and make deployment easier. It also helps prevent directory + -- traversal attacks (although path cleaning could have done this too). + local request = http.request(asapKeyServer..sha256(keyId)..'.pem', { headers = http_headers or {}, method = "GET" }, cb); + -- TODO: Is the done() call racey? Can we cancel this if the request -- succeedes? local function cancel()