[PHP-WEBMASTER] com web/master: Improve GitHub signature validation: github-webhook.php

Nikita Popov Thu, 24 Nov 2016 03:15:55 -0800

Commit:    01d6ba78b9253a4e00be402288b998527cf2dcab
Author:    Nikita Popov <ni...@php.net>         Thu, 24 Nov 2016 12:13:04 +0100
Parents:   608174ee7c426e5bc723ebe14e0da0aeb8b34c90
Branches:  master


Link:       
http://git.php.net/?p=web/master.git;a=commitdiff;h=01d6ba78b9253a4e00be402288b998527cf2dcab

Log:
Improve GitHub signature validation

We should not let the client decide the authentication method, see
https://www.wordfence.com/blog/2016/11/hacking-27-web-via-wordpress-auto-update/

Changed paths:
  M  github-webhook.php


Diff:
diff --git a/github-webhook.php b/github-webhook.php
index f756e81..f52f1b4 100644
--- a/github-webhook.php
+++ b/github-webhook.php
@@ -1,10 +1,8 @@
 <?php
 function verify_signature($requestBody) {
-       if(isset($_SERVER['HTTP_X_HUB_SIGNATURE'])){
-               $parts = explode("=", $_SERVER['HTTP_X_HUB_SIGNATURE'], 2);
-               if (count($parts) == 2) {
-                       return hash_hmac($parts[0], $requestBody, 
getenv('GITHUB_SECRET')) === $parts[1];
-               }
+       if (isset($_SERVER['HTTP_X_HUB_SIGNATURE'])){
+               $sig = 'sha1=' . hash_hmac('sha1', $requestBody, 
getenv('GITHUB_SECRET'));
+               return $sig === $_SERVER['HTTP_X_HUB_SIGNATURE'];
        }
        return false;
 }


--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-WEBMASTER] com web/master: Improve GitHub signature validation: github-webhook.php

Reply via email to