From cf2142ddd2682d9c3316b8b39bfbe63846d2c3bc Mon Sep 17 00:00:00 2001
From: Valentin Lorentz <progval+git@progval.net>
Date: Sat, 9 May 2020 22:18:03 +0200
Subject: [PATCH] Fediverse: Sign headers Date and Host to prevent replays.

---
 plugins/Fediverse/activitypub.py | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/plugins/Fediverse/activitypub.py b/plugins/Fediverse/activitypub.py
index 6d4477dc3..bc2efd9b1 100644
--- a/plugins/Fediverse/activitypub.py
+++ b/plugins/Fediverse/activitypub.py
@@ -30,7 +30,9 @@
 
 import os
 import json
+import email
 import base64
+import datetime
 import functools
 import contextlib
 import urllib.parse
@@ -44,7 +46,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key
 
 
 from supybot import commands, conf
-from supybot.utils import web
+from supybot.utils import gen, web
 
 
 XRD_URI = "{http://docs.oasis-open.org/ns/xri/xrd-1.0}"
@@ -189,14 +191,22 @@ def get_public_key_pem():
 def signed_request(url, headers=None, data=None):
     method = "get" if data is None else "post"
     instance_actor_url = get_instance_actor_url()
-    headers = headers or {}
+    headers = gen.InsensitivePreservingDict(headers or {})
+
+    if 'Date' not in headers:
+        headers['Date'] = email.utils.formatdate(usegmt=True)
 
     if instance_actor_url:
+        parsed_url = urllib.parse.urlparse(url)
         signed_headers = [
             (
                 "(request-target)",
-                method + " " + urllib.parse.urlparse(url).path,
-            )
+                method + " " + parsed_url.path,
+            ),
+            (
+                "host",
+                parsed_url.hostname,
+            ),
         ]
         for (header_name, header_value) in headers.items():
             signed_headers.append((header_name.lower(), header_value))