From 917dbbadaa7b0f93b9aa516ee7017ccc4801dd4a Mon Sep 17 00:00:00 2001
From: 0xboobface <0xboobface@gmail.com>
Date: Fri, 16 Nov 2018 12:40:27 +0100
Subject: [PATCH] If HMAC is a request parameter, calculate it from the
 requested path

---
 .../java/ctbrec/recorder/server/AbstractCtbrecServlet.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/ctbrec/recorder/server/AbstractCtbrecServlet.java b/src/main/java/ctbrec/recorder/server/AbstractCtbrecServlet.java
index 1c0085b6..ebca073e 100644
--- a/src/main/java/ctbrec/recorder/server/AbstractCtbrecServlet.java
+++ b/src/main/java/ctbrec/recorder/server/AbstractCtbrecServlet.java
@@ -19,6 +19,8 @@ public abstract class AbstractCtbrecServlet extends HttpServlet {
             String reqParamHmac = req.getParameter("hmac");
             String httpHeaderHmac = req.getHeader("CTBREC-HMAC");
             String hmac = null;
+            String url = req.getRequestURI();
+
             if(reqParamHmac != null) {
                 hmac = reqParamHmac;
             }
@@ -27,7 +29,8 @@ public abstract class AbstractCtbrecServlet extends HttpServlet {
             }
 
             byte[] key = Config.getInstance().getSettings().key;
-            authenticated = Hmac.validate(body, key, hmac);
+            String msg = reqParamHmac != null ? url : body;
+            authenticated = Hmac.validate(msg, key, hmac);
         } else {
             authenticated = true;
         }