]> source.dussan.org Git - gitea.git/commit
projects / gitea.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a312007) | patch
If httpsig verification fails, fix Host header and try again
authorAnthony Wang <ta180m@proton.me>
Tue, 14 Jun 2022 21:23:08 +0000 (16:23 -0500)
committerAnthony Wang <ta180m@proton.me>
Tue, 14 Jun 2022 21:23:08 +0000 (16:23 -0500)
commitf53e46c721a037c55facb9200106a6b491bf834c
treeaa82a7d2d326741cdc2f806423997195a0e6badftree | snapshot
parenta3120079a5dd4376c7c85584bdc5f6290cf5b84ecommit | diff
If httpsig verification fails, fix Host header and try again

This fixes a very rare bug when Gitea and another AP server (confirmed to happen with Mastodon) are running on the same machine, Gitea fails to verify incoming HTTP signatures. This is because the other AP server creates the sig with the public Gitea domain as the Host. However, when Gitea receives the request, the Host header is instead localhost, so the signature verification fails. Manually changing the host header to the correct value and trying the verification again fixes the bug.
routers/api/v1/activitypub/reqsignature.go diff | blob | history
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea