From e3764bdb529d3ec03f8db9fb20862af07d7590d4 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 31 Aug 2018 04:22:52 +0200 Subject: [PATCH] Do not sign useless User-Agent or Accept-Encoding headers (#8533) Fix #8080 --- app/lib/request.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index 21bdaa7003..36c211dbfe 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -73,15 +73,15 @@ class Request algorithm = 'rsa-sha256' signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string)) - "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\"" + "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\"" end def signed_string - @headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n") + signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n") end def signed_headers - @headers.keys.join(' ').downcase + @headers.without('User-Agent', 'Accept-Encoding') end def key_id