Do not sign useless User-Agent or Accept-Encoding headers (#8533)

Fix #8080

diff --git a/app/lib/request.rb b/app/lib/request.rb
index 21bdaa70030a508628abc53e0d40b5a936c92a1d..36c211dbfe50107d54fdb40630f9169929bb3051 100644 (file)
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@@ -73,15 +73,15 @@ class Request
     algorithm = 'rsa-sha256'
     signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))
 
-    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\""
+    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
   end
 
   def signed_string
-    @headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
+    signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
   end
 
   def signed_headers
-    @headers.keys.join(' ').downcase
+    @headers.without('User-Agent', 'Accept-Encoding')
   end
 
   def key_id