Re: [PHP-WEBMASTER] com web/master: fix the signature verification: github-webhook.php

Tue, 10 Jun 2014 13:03:35 -0700 

On Tue, Jun 10, 2014 at 9:11 PM, Hannes Magnusson <
[email protected]> wrote:

> On Tue, Jun 10, 2014 at 11:50 AM, Ferenc Kovacs <[email protected]> wrote:
> > Commit:    399ecb7fbc24279b0b04b887c99ef08397358e1b
> > Author:    kovacs.ferenc <[email protected]>         Tue, 10 Jun
> 2014 20:50:50 +0200
> > Parents:   acbafe16189ee1b8ab8bd1ef061f13456880ebcd
> > Branches:  master
> >
> > Link:
> http://git.php.net/?p=web/master.git;a=commitdiff;h=399ecb7fbc24279b0b04b887c99ef08397358e1b
> >
> > Log:
> > fix the signature verification
> >
> > Changed paths:
> >   M  github-webhook.php
> >
> >
> > Diff:
> > diff --git a/github-webhook.php b/github-webhook.php
> > index 70f15e8..8b57684 100644
> > --- a/github-webhook.php
> > +++ b/github-webhook.php
> > @@ -6,18 +6,19 @@ $config = array(
> >                 'pecl-' => '[email protected]',
> >         ),
> >  );
> > -if (
> > -       !isset($_SERVER['HTTP_X_HUB_SIGNATURE'],
> $_SERVER['HTTP_X_GITHUB_EVENT'])
> > -       && $_SERVER['HTTP_X_HUB_SIGNATURE'] !==
> 'sha1=e2a3e7a586aa08d7c9d3c73482e618164c7c75b1'
> > -) {
> > +
> > +$body = file_get_contents("php://input");
> > +
> > +if (!verify_signature($body)) {
> >         header('HTTP/1.1 403 Forbidden');
> >         exit;
> >  }
> > +
> >  switch  ($_SERVER['HTTP_X_GITHUB_EVENT']) {
> >         case 'ping':
> >                 break;
> >         case 'pull_request':
> > -               $payload = json_decode(file_get_contents("php://input"));
> > +               $payload = json_decode($body);
>
> There is already a $body variable used here few lines below... Maybe
> picka different name?
>
> -Hannes
>

thanks, fixed (albeit I was lucky enough that I was only expecting the
values which ended up being in the variable by sheer luck)

Reply via email to