From 6deab18126a11498c8b6fff478c98e724e0a2b27 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 12 Nov 2019 13:01:56 +0000
Subject: [PATCH] Add content langth to http signature

---
 README.md  |  2 +-
 httpsig.py | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 41b44598..fa349c51 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ Or on Debian:
 ``` bash
 sudo apt-get -y install tor python3-pip python3-socks imagemagick \
                 python3-numpy python3-setuptools python3-crypto \
-		python3-dateutil python3-pil.imagetk certbot nginx
+                python3-dateutil python3-pil.imagetk certbot nginx
 sudo pip3 install requests commentjson beautifulsoup4 pycryptodome
 ```
 
diff --git a/httpsig.py b/httpsig.py
index b36b48c5..5995fc0e 100644
--- a/httpsig.py
+++ b/httpsig.py
@@ -104,13 +104,14 @@ def createSignedHeader(privateKeyPem: str,nickname: str, \
                             path,httpPrefix,None)
     else:
         bodyDigest=messageContentDigest(messageBodyJsonStr)
+        contentLength=len(messageBodyJsonStr)
         #print('***************************Send (request-target): post '+path)
         #print('***************************Send host: '+headerDomain)
         #print('***************************Send date: '+dateStr)
         #print('***************************Send digest: '+bodyDigest)
         #print('***************************Send Content-type: '+contentType)
         #print('***************************Send messageBodyJsonStr: '+messageBodyJsonStr)
-        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-type': contentType}
+        headers = {'(request-target)': f'post {path}','host': headerDomain,'date': dateStr,'digest': f'SHA-256={bodyDigest}','content-length': contentLength,'content-type': contentType}
         signatureHeader = \
             signPostHeaders(dateStr,privateKeyPem,nickname, \
                             domain,port, \
@@ -168,6 +169,7 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
     # Unpack the signed headers and set values based on current headers and
     # body (if a digest was included)
     signedHeaderList = []
+    contentLength=len(messageBodyJsonStr)
     for signedHeader in signatureDict['headers'].split(' '):
         if signedHeader == '(request-target)':
             signedHeaderList.append(
@@ -183,6 +185,9 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
             #print('***************************Verify messageBodyJsonStr: '+messageBodyJsonStr)
         else:
             if headers.get(signedHeader):
+                if signedHeader=='content-length':
+                    if int(headers[signedHeader])!=contentLength:
+                        return False
                 if signedHeader=='date':
                     if not verifyRecentSignature(headers[signedHeader]):
                         return False
@@ -191,6 +196,9 @@ def verifyPostHeaders(httpPrefix: str,publicKeyPem: str,headers: dict, \
                     f'{signedHeader}: {headers[signedHeader]}')
             else:
                 signedHeaderCap=signedHeader.capitalize()
+                if signedHeaderCap=='Content-length':
+                    if int(headers[signedHeader])!=contentLength:
+                        return False
                 if signedHeaderCap=='Date':
                     if not verifyRecentSignature(headers[signedHeaderCap]):
                         return False