closes pterodactyl#30

DaneEveritt · DaneEveritt · commit aac498808c5b · 2016-01-22T21:53:11.000-05:00
diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php
@@ -46,6 +46,10 @@ class APISecretToken extends Authorization
 
     protected $permissionAllowed = false;
 
+    protected $method = '';
+
+    protected $url = '';
+
     public function __construct()
     {
         //
@@ -102,17 +106,19 @@ public function authenticate(Request $request, Route $route)
             throw new HttpException('There was an error while attempting to check your secret key.');
         }
 
-        if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) {
+        $this->method = strtoupper($request->method());
+        $this->url = urldecode($request->fullUrl());
+        if($this->_generateHMAC($request->getContent(), $decrypted) !== base64_decode($hashed)) {
             throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');
         }
 
         return true;
 
     }
 
-    protected function _generateHMAC($url, $body, $key)
+    protected function _generateHMAC($body, $key)
     {
-        $data = urldecode($url) . '.' . $body;
+        $data = $this->method . '.' . $this->url . '.' . $body;
         return hash_hmac($this->algo, $data, $key, true);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,10 @@ class APISecretToken extends Authorization`
`46`	`46`
`47`	`47`	`protected $permissionAllowed = false;`
`48`	`48`
	`49`	`+ protected $method = '';`
	`50`	`+`
	`51`	`+ protected $url = '';`
	`52`	`+`
`49`	`53`	`public function __construct()`
`50`	`54`	`{`
`51`	`55`	`//`
`@@ -102,17 +106,19 @@ public function authenticate(Request $request, Route $route)`
`102`	`106`	`throw new HttpException('There was an error while attempting to check your secret key.');`
`103`	`107`	`}`
`104`	`108`
`105`		`- if($this->_generateHMAC($request->fullUrl(), $request->getContent(), $decrypted) !== base64_decode($hashed)) {`
	`109`	`+ $this->method = strtoupper($request->method());`
	`110`	`+ $this->url = urldecode($request->fullUrl());`
	`111`	`+ if($this->_generateHMAC($request->getContent(), $decrypted) !== base64_decode($hashed)) {`
`106`	`112`	`throw new BadRequestHttpException('The hashed body was not valid. Potential modification of contents in route.');`
`107`	`113`	`}`
`108`	`114`
`109`	`115`	`return true;`
`110`	`116`
`111`	`117`	`}`
`112`	`118`
`113`		`- protected function _generateHMAC($url, $body, $key)`
	`119`	`+ protected function _generateHMAC($body, $key)`
`114`	`120`	`{`
`115`		`- $data = urldecode($url) . '.' . $body;`
	`121`	`+ $data = $this->method . '.' . $this->url . '.' . $body;`
`116`	`122`	`return hash_hmac($this->algo, $data, $key, true);`
`117`	`123`	`}`
`118`	`124`