From 004fb96b2f9b848172aa52a72fac08a616a7913b Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Mon, 4 Mar 2019 07:53:31 -0600 Subject: [PATCH] Add nonce to pubsub token --- src/invidious.cr | 14 ++++++++++---- src/invidious/channels.cr | 4 +++- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/invidious.cr b/src/invidious.cr index 0951fd72c..a19a742b5 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -92,7 +92,7 @@ PUBSUB_URL = URI.parse("https://pubsubhubbub.appspot.com") TEXTCAPTCHA_URL = URI.parse("http://textcaptcha.com/omarroth@hotmail.com.json") CURRENT_COMMIT = `git rev-list HEAD --max-count=1 --abbrev-commit`.strip CURRENT_VERSION = `git describe --tags $(git rev-list --tags --max-count=1)`.strip -CURRENT_BRANCH = `git status | head -1`.strip +CURRENT_BRANCH = `git status | head -1`.strip LOCALES = { "ar" => load_locale("ar"), @@ -136,7 +136,7 @@ if config.statistics_enabled "software" => { "name" => "invidious", "version" => "#{CURRENT_VERSION}-#{CURRENT_COMMIT}", - "branch" => "#{CURRENT_BRANCH}", + "branch" => "#{CURRENT_BRANCH}", }, "openRegistrations" => config.registration_enabled, "usage" => { @@ -2329,13 +2329,19 @@ get "/feed/webhook/:token" do |env| challenge = env.params.query["hub.challenge"] lease_seconds = env.params.query["hub.lease_seconds"] - time, signature = verify_token.split(":") + if verify_token.starts_with? "v1" + _, time, nonce, signature = verify_token.split(":") + data = "#{time}:#{nonce}" + else + time, signature = verify_token.split(":") + data = "#{time}" + end if Time.now.to_unix - time.to_i > 600 halt env, status_code: 400 end - if OpenSSL::HMAC.hexdigest(:sha1, HMAC_KEY, time) != signature + if OpenSSL::HMAC.hexdigest(:sha1, HMAC_KEY, data) != signature halt env, status_code: 400 end diff --git a/src/invidious/channels.cr b/src/invidious/channels.cr index bb5480453..b38c5e1a6 100644 --- a/src/invidious/channels.cr +++ b/src/invidious/channels.cr @@ -194,11 +194,13 @@ end def subscribe_pubsub(ucid, key, config) client = make_client(PUBSUB_URL) time = Time.now.to_unix.to_s + nonce = Random::Secure.hex(4) + signature = "#{time}:#{nonce}" host_url = make_host_url(Kemal.config.ssl || config.https_only, config.domain) body = { - "hub.callback" => "#{host_url}/feed/webhook/#{time}:#{OpenSSL::HMAC.hexdigest(:sha1, key, time)}", + "hub.callback" => "#{host_url}/feed/webhook/v1:#{time}:#{nonce}:#{OpenSSL::HMAC.hexdigest(:sha1, key, signature)}", "hub.topic" => "https://www.youtube.com/feeds/videos.xml?channel_id=#{ucid}", "hub.verify" => "async", "hub.mode" => "subscribe",