Merge pull request #663 from dalf/mod_secret_key

changes about the secret_key

3 files changed, 17 insertions, 17 deletions

diff --git a/searx/webapp.py b/searx/webapp.py
index a7812f181..a2aa84d9d 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -71,6 +71,7 @@ from searx.webutils import (
     get_themes,
     prettify_url,
     new_hmac,
+    is_hmac_of,
     is_flask_run_cmdline,
 )
 from searx.webadapter import (
@@ -1067,8 +1068,7 @@ def image_proxy():
     if not url:
         return '', 400
 
-    h = new_hmac(settings['server']['secret_key'], url.encode())
-    if h != request.args.get('h'):
+    if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')):
         return '', 400
 
     maximum_size = 5 * 1024 * 1024
diff --git a/searx/webutils.py b/searx/webutils.py
index 737e5a82f..068582858 100644
--- a/searx/webutils.py
+++ b/searx/webutils.py
@@ -77,14 +77,12 @@ def get_result_templates(templates_path):
 
 
 def new_hmac(secret_key, url):
-    try:
-        secret_key_bytes = bytes(secret_key, 'utf-8')
-    except TypeError as err:
-        if isinstance(secret_key, bytes):
-            secret_key_bytes = secret_key
-        else:
-            raise err
-    return hmac.new(secret_key_bytes, url, hashlib.sha256).hexdigest()
+    return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
+
+
+def is_hmac_of(secret_key, value, hmac_to_check):
+    hmac_of_value = new_hmac(secret_key, value)
+    return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check)
 
 
 def prettify_url(url, max_length=74):
diff --git a/tests/unit/test_webutils.py b/tests/unit/test_webutils.py
index 2b7c6fe5a..31a0f86ce 100644
--- a/tests/unit/test_webutils.py
+++ b/tests/unit/test_webutils.py
@@ -78,10 +78,12 @@ class TestUnicodeWriter(SearxTestCase):
 
 class TestNewHmac(SearxTestCase):
     def test_bytes(self):
-        for secret_key in ['secret', b'secret', 1]:
-            if secret_key == 1:
-                with self.assertRaises(TypeError):
-                    webutils.new_hmac(secret_key, b'http://example.com')
-                continue
-            res = webutils.new_hmac(secret_key, b'http://example.com')
-            self.assertEqual(res, '23e2baa2404012a5cc8e4a18b4aabf0dde4cb9b56f679ddc0fd6d7c24339d819')
+        data = b'http://example.com'
+        with self.assertRaises(AttributeError):
+            webutils.new_hmac(b'secret', data)
+
+        with self.assertRaises(AttributeError):
+            webutils.new_hmac(1, data)
+
+        res = webutils.new_hmac('secret', data)
+        self.assertEqual(res, '23e2baa2404012a5cc8e4a18b4aabf0dde4cb9b56f679ddc0fd6d7c24339d819')