diff options
| author | Markus Heiser <markus.heiser@darmarit.de> | 2021-12-28 13:44:28 +0100 |
|---|---|---|
| committer | Alexandre Flament <alex@al-f.net> | 2021-12-28 23:04:06 +0100 |
| commit | 8f3a7feb47a84344a190ce83e629afde1181f6ae (patch) | |
| tree | 08866a29d69af2693912e554b7b7dd9baa0e300b /searx | |
| parent | 7d4834ac4dd708b87187caff8eb59e783e8c2111 (diff) | |
[mod] implement is_hmac_of() in webutils / close to new_hmac()
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>, Alexandre Flament
Diffstat (limited to 'searx')
| -rwxr-xr-x | searx/webapp.py | 5 | ||||
| -rw-r--r-- | searx/webutils.py | 5 |
2 files changed, 7 insertions, 3 deletions
diff --git a/searx/webapp.py b/searx/webapp.py index 788e0d24f..a2aa84d9d 100755 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -71,6 +71,7 @@ from searx.webutils import ( get_themes, prettify_url, new_hmac, + is_hmac_of, is_flask_run_cmdline, ) from searx.webadapter import ( @@ -1067,9 +1068,7 @@ def image_proxy(): if not url: return '', 400 - h_url = new_hmac(settings['server']['secret_key'], url.encode()) - h_args = request.args.get('h') - if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args): + if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')): return '', 400 maximum_size = 5 * 1024 * 1024 diff --git a/searx/webutils.py b/searx/webutils.py index 11a101806..068582858 100644 --- a/searx/webutils.py +++ b/searx/webutils.py @@ -80,6 +80,11 @@ def new_hmac(secret_key, url): return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest() +def is_hmac_of(secret_key, value, hmac_to_check): + hmac_of_value = new_hmac(secret_key, value) + return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check) + + def prettify_url(url, max_length=74): if len(url) > max_length: chunk_len = int(max_length / 2 + 1) |