From 3272e219c008cba11349478b05fb51918e24798d Mon Sep 17 00:00:00 2001 From: hahn <axel.hahn@iml.unibe.ch> Date: Tue, 16 Jun 2020 16:01:02 +0200 Subject: [PATCH] task#3869 - initial stuff for API deny timestamps in the future too. --- public_html/api/index.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/public_html/api/index.php b/public_html/api/index.php index 48082084..74a9f292 100644 --- a/public_html/api/index.php +++ b/public_html/api/index.php @@ -84,6 +84,9 @@ if(!isset($aReqHeaders['Authorization'])){ _quit('Access denied. Missing authorization.', 403); } + if(!isset($aReqHeaders['Date'])){ + _quit('Access denied. Missing field "Date:" in the request header.', 403); + } $sGotHash= preg_replace('/^.*\:/', '', $aReqHeaders['Authorization']); $sGotDate= $aReqHeaders['Date']; @@ -103,7 +106,10 @@ $iAge=date('U')-date('U', strtotime($sGotDate)); _wd('Date: '.$sGotDate.' - age: '.$iAge.' sec'); if($iAge>$iMaxAge){ - _quit('Access denied. Hash is out of date: '.$iAge. ' sec is older '.$iMaxAge.' sec', 403); + _quit('Access denied. Hash is out of date: '.$iAge. ' sec is older '.$iMaxAge.' sec. Maybe client or server is out of sync.', 403); + } + if($iAge<-$iMaxAge){ + _quit('Access denied. Hash is '.$iAge. ' sec in future but only '.$iMaxAge.' sec are allowed. Maybe client or server is out of sync.', 403); } return true; } -- GitLab