From ff006ce319b2f3ac2ae290ebc2d2297785094b01 Mon Sep 17 00:00:00 2001 From: Rob Ostensen Date: Sun, 11 Mar 2012 00:11:44 -0600 Subject: [PATCH] verify required headers are signed --- inc/iSchedule.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/inc/iSchedule.php b/inc/iSchedule.php index 0a0dc325..365f7845 100644 --- a/inc/iSchedule.php +++ b/inc/iSchedule.php @@ -34,10 +34,10 @@ class iSchedule private $failOnError = true; private $subdomainsOK = true; private $remote_public_key ; - private $required_headers = Array ( 'Host', // draft 01 section 7.1 required headers - 'Originator', - 'Recipient', - 'Content-Type' ); + private $required_headers = Array ( 'host', // draft 01 section 7.1 required headers + 'originator', + 'recipient', + 'content-type' ); private $disallowed_headers = Array ( 'connection', // draft 01 section 7.1 disallowed headers 'keep-alive', 'dkim-signature', @@ -538,10 +538,17 @@ class iSchedule if ( ! isset ( $dkim['h'] ) ) return 'missing list of signed headers'; $this->signed_headers = preg_split ( '/:/', $dkim['h'] ); - + + $sh = Array (); foreach ( $this->signed_headers as $h ) + { + $sh[] = strtolower ( $h ); if ( in_array ( strtolower ( $h ), $this->disallowed_headers ) ) return "$h is NOT allowed in signed header fields per RFC4871 or iSchedule"; + } + foreach ( $this->required_headers as $h ) + if ( ! in_array ( strtolower ( $h ), $sh ) ) + return "$h is REQUIRED but missing in signed header fields per iSchedule"; // body hash REQUIRED if ( ! isset ( $dkim['bh'] ) ) return 'missing body signature'; -- 2.11.4.GIT