Opened on 02/15/2019 at 01:15:00 PM
Closed on 02/21/2019 at 02:00:28 PM
Last modified on 02/22/2019 at 10:21:30 AM
#7290 closed defect (fixed)
Signature header generated by sitekey-frame page doesn't verify
Reported by: | kzar | Assignee: | kvas |
---|---|---|---|
Priority: | P3 | Milestone: | |
Module: | Sitescripts | Keywords: | |
Cc: | kvas, Ross, greiner | Blocked By: | |
Blocking: | #7164 | Platform: | Unknown / Cross platform |
Ready: | yes | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description (last modified by kzar)
Environment
Chrome 71, Adblock Plus development build from current HEAD.
How to reproduce
- Modify Adblock Plus to log the result of verifySignature in adblockplus/lib/whitelisting.js.
- Rebuild the extension.
- Navigate to https://testpages.adblockplus.org/sitekey-frame
Observed behaviour
The signature verification fails.
Expected behaviour
The signature verification succeeds.
Notes
- This likely means that sitescripts/sitescripts/testpages/web/sitekey_frame.py is using the wrong parameters to generate the signature. See this line:
key.sign_update('\x00'.join(( request_path(environ), environ['HTTP_HOST'], environ['HTTP_USER_AGENT'] )))
- If you navigate to https://sitekey.kzar.co.uk you can see the signature verifies successfully.
- When I run sitekey-frame locally using multiplexer.py the signature verifies OK. The values I see are /sitekey-frame, localhost:5000 and Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 respectively.
Attachments (0)
Change History (11)
comment:2 Changed on 02/15/2019 at 01:22:47 PM by kzar
comment:5 Changed on 02/19/2019 at 12:31:54 PM by greiner
- Cc greiner added
comment:6 Changed on 02/19/2019 at 10:40:06 PM by kvas
- Owner set to kvas
- Priority changed from Unknown to P3
- Ready set
comment:7 Changed on 02/19/2019 at 10:40:34 PM by kvas
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:8 Changed on 02/21/2019 at 01:45:42 PM by abpbot
A commit referencing this issue has landed:
Issue 7290 - Fix signature production in sitekey_frame.py
comment:9 Changed on 02/21/2019 at 02:00:28 PM by kzar
- Resolution set to fixed
- Status changed from reviewing to closed
comment:10 Changed on 02/21/2019 at 03:23:23 PM by kzar
Thanks again Vasily :)
comment:11 Changed on 02/22/2019 at 10:21:30 AM by kvas
No problem. Thanks for the review!
Note: See
TracTickets for help on using
tickets.
What do you think Vasily? Do you think request_path(environ), environ['HTTP_HOST'] and environ['HTTP_USER_AGENT'] are correct? Any idea how we can verify their values?