From 1ea556e805cd503427b0580d5eabd61741df0e18 Mon Sep 17 00:00:00 2001
From: James Calfee <james@jcalfee.info>
Date: Wed, 25 Jan 2017 12:08:17 -0600
Subject: [PATCH] Add signing challenge prefix.

---
 app/redux/UserSaga.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/redux/UserSaga.js b/app/redux/UserSaga.js
index b8bc45692..b5ba4c726 100644
--- a/app/redux/UserSaga.js
+++ b/app/redux/UserSaga.js
@@ -414,7 +414,9 @@ function* uploadImage({payload: {file, dataUrl, filename = 'image.txt', progress
         data = new Buffer(dataBs64, 'base64')
     }
 
-    const bufSha = hash.sha256(data)
+    // The challenge needs to be prefixed with a constant (both on the server and checked on the client) to make sure the server can't easily make the client sign a transaction doing something else.
+    const prefix = new Buffer('ImageSigningChallenge')
+    const bufSha = hash.sha256(Buffer.concat([prefix, data]))
 
     const formData = new FormData()
     if(file) {
-- 
GitLab