Do not sign useless User-Agent or Accept-Encoding headers (#8533)

Fix #8080
author: Eugen Rochko <eugen@zeonfederated.com> 2018-08-31 04:22:52 +0200
committer: GitHub <noreply@github.com> 2018-08-31 04:22:52 +0200
commit: e3764bdb529d3ec03f8db9fb20862af07d7590d4 (patch)
tree: c55fb0ac33c81d97e263087ef15d6fe53b770416 /app/lib/request.rb
parent: 18eb565755b8658e2a9768a6f59596d943746b68 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/app/lib/request.rb b/app/lib/request.rb
index 21bdaa700..36c211dbf 100644
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@@ -73,15 +73,15 @@ class Request
     algorithm = 'rsa-sha256'
     signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))
 
-    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\""
+    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
   end
 
   def signed_string
-    @headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
+    signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
   end
 
   def signed_headers
-    @headers.keys.join(' ').downcase
+    @headers.without('User-Agent', 'Accept-Encoding')
   end
 
   def key_id
author	Eugen Rochko <eugen@zeonfederated.com>	2018-08-31 04:22:52 +0200
committer	GitHub <noreply@github.com>	2018-08-31 04:22:52 +0200
commit	e3764bdb529d3ec03f8db9fb20862af07d7590d4 (patch)
tree	c55fb0ac33c81d97e263087ef15d6fe53b770416 /app/lib/request.rb
parent	18eb565755b8658e2a9768a6f59596d943746b68 (diff)