From e3764bdb529d3ec03f8db9fb20862af07d7590d4 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Fri, 31 Aug 2018 04:22:52 +0200
Subject: [PATCH] Do not sign useless User-Agent or Accept-Encoding headers
 (#8533)

Fix #8080
---
 app/lib/request.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/lib/request.rb b/app/lib/request.rb
index 21bdaa7003..36c211dbfe 100644
--- a/app/lib/request.rb
+++ b/app/lib/request.rb
@@ -73,15 +73,15 @@ class Request
     algorithm = 'rsa-sha256'
     signature = Base64.strict_encode64(@keypair.sign(OpenSSL::Digest::SHA256.new, signed_string))
 
-    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers}\",signature=\"#{signature}\""
+    "keyId=\"#{key_id}\",algorithm=\"#{algorithm}\",headers=\"#{signed_headers.keys.join(' ').downcase}\",signature=\"#{signature}\""
   end
 
   def signed_string
-    @headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
+    signed_headers.map { |key, value| "#{key.downcase}: #{value}" }.join("\n")
   end
 
   def signed_headers
-    @headers.keys.join(' ').downcase
+    @headers.without('User-Agent', 'Accept-Encoding')
   end
 
   def key_id
-- 
GitLab