From 3272e219c008cba11349478b05fb51918e24798d Mon Sep 17 00:00:00 2001
From: hahn <axel.hahn@iml.unibe.ch>
Date: Tue, 16 Jun 2020 16:01:02 +0200
Subject: [PATCH] task#3869 - initial stuff for API deny timestamps in the
 future too.

---
 public_html/api/index.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/public_html/api/index.php b/public_html/api/index.php
index 48082084..74a9f292 100644
--- a/public_html/api/index.php
+++ b/public_html/api/index.php
@@ -84,6 +84,9 @@
         if(!isset($aReqHeaders['Authorization'])){
             _quit('Access denied. Missing authorization.', 403);
         }         
+        if(!isset($aReqHeaders['Date'])){
+            _quit('Access denied. Missing field "Date:" in the request header.', 403);
+        }         
 
         $sGotHash= preg_replace('/^.*\:/', '', $aReqHeaders['Authorization']);
         $sGotDate= $aReqHeaders['Date'];
@@ -103,7 +106,10 @@
         $iAge=date('U')-date('U', strtotime($sGotDate));
         _wd('Date: '.$sGotDate.' - age: '.$iAge.' sec');
         if($iAge>$iMaxAge){
-            _quit('Access denied. Hash is out of date: '.$iAge. ' sec is older '.$iMaxAge.' sec', 403);
+            _quit('Access denied. Hash is out of date: '.$iAge. ' sec is older '.$iMaxAge.' sec. Maybe client or server is out of sync.', 403);
+        }
+        if($iAge<-$iMaxAge){
+            _quit('Access denied. Hash is '.$iAge. ' sec in future but only '.$iMaxAge.' sec are allowed. Maybe client or server is out of sync.', 403);
         }
         return true;
     }
-- 
GitLab