From 1e3343857f65870174f57f22a6b59187ae958ce4 Mon Sep 17 00:00:00 2001 From: Steven Alasia Date: Mon, 23 Jun 2025 06:41:13 +0200 Subject: [PATCH 1/2] Fix signature generation with rawurldecode --- Security/Firewall/SignedRequest.php | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/Security/Firewall/SignedRequest.php b/Security/Firewall/SignedRequest.php index 3af6a01..bc4ba87 100644 --- a/Security/Firewall/SignedRequest.php +++ b/Security/Firewall/SignedRequest.php @@ -16,7 +16,7 @@ public function __construct( $this->setMethod(strtoupper($method)); } - public function buildSignature(SignatureConfig $signatureConfig): string + public function buildVerificationSignature(SignatureConfig $signatureConfig): string { $payload = [ $this->method, @@ -38,9 +38,31 @@ public function buildSignature(SignatureConfig $signatureConfig): string ); } + public function buildSignature(SignatureConfig $signatureConfig): string + { + $payload = [ + $this->method, + $this->host, + $this->pathInfo, + rawurldecode($this->content), + ]; + + if ($signatureConfig->isReplayProtectionEnabled()) { + $this->guardValidSignatureTime(); + // use unshift to keep BC on signature generation + array_unshift($payload, $this->signatureTime); + } + + return hash_hmac( + $signatureConfig->getAlgorithm(), + implode("\n", $payload), + $signatureConfig->getSecret(), + ); + } + public function authenticateSignature(string $signature, SignatureConfig $signatureConfig, ReplayProtection $replayProtection): bool { - if ($signature !== $this->buildSignature($signatureConfig)) { + if ($signature !== $this->buildVerificationSignature($signatureConfig)) { throw new InvalidSignatureException(); } From 4bf57b98a3a8909a95518cb15face99f821aa219 Mon Sep 17 00:00:00 2001 From: Steven Alasia Date: Mon, 23 Jun 2025 15:17:55 +0200 Subject: [PATCH 2/2] Use a boolean instead of rewriting the function --- Security/Firewall/SignedRequest.php | 33 +++++++++-------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/Security/Firewall/SignedRequest.php b/Security/Firewall/SignedRequest.php index bc4ba87..0b1912d 100644 --- a/Security/Firewall/SignedRequest.php +++ b/Security/Firewall/SignedRequest.php @@ -16,37 +16,24 @@ public function __construct( $this->setMethod(strtoupper($method)); } - public function buildVerificationSignature(SignatureConfig $signatureConfig): string + public function buildSignature(SignatureConfig $signatureConfig, bool $forVerification = false): string { $payload = [ $this->method, $this->host, $this->pathInfo, - $this->content, + rawurldecode($this->content), ]; - if ($signatureConfig->isReplayProtectionEnabled()) { - $this->guardValidSignatureTime(); - // use unshift to keep BC on signature generation - array_unshift($payload, $this->signatureTime); + if ($forVerification) { + $payload = [ + $this->method, + $this->host, + $this->pathInfo, + $this->content, + ]; } - return hash_hmac( - $signatureConfig->getAlgorithm(), - implode("\n", $payload), - $signatureConfig->getSecret(), - ); - } - - public function buildSignature(SignatureConfig $signatureConfig): string - { - $payload = [ - $this->method, - $this->host, - $this->pathInfo, - rawurldecode($this->content), - ]; - if ($signatureConfig->isReplayProtectionEnabled()) { $this->guardValidSignatureTime(); // use unshift to keep BC on signature generation @@ -62,7 +49,7 @@ public function buildSignature(SignatureConfig $signatureConfig): string public function authenticateSignature(string $signature, SignatureConfig $signatureConfig, ReplayProtection $replayProtection): bool { - if ($signature !== $this->buildVerificationSignature($signatureConfig)) { + if ($signature !== $this->buildSignature($signatureConfig, true)) { throw new InvalidSignatureException(); }