forked from zaclys/searxng
[enh] use HMAC for image proxy url verification
This commit is contained in:
parent
e2245611d7
commit
19a6ca0b68
|
@ -22,10 +22,11 @@ if __name__ == '__main__':
|
||||||
from os.path import realpath, dirname
|
from os.path import realpath, dirname
|
||||||
path.append(realpath(dirname(realpath(__file__)) + '/../'))
|
path.append(realpath(dirname(realpath(__file__)) + '/../'))
|
||||||
|
|
||||||
import json
|
|
||||||
import cStringIO
|
import cStringIO
|
||||||
import os
|
|
||||||
import hashlib
|
import hashlib
|
||||||
|
import hmac
|
||||||
|
import json
|
||||||
|
import os
|
||||||
import requests
|
import requests
|
||||||
|
|
||||||
from searx import logger
|
from searx import logger
|
||||||
|
@ -250,8 +251,7 @@ def image_proxify(url):
|
||||||
if not request.preferences.get_value('image_proxy'):
|
if not request.preferences.get_value('image_proxy'):
|
||||||
return url
|
return url
|
||||||
|
|
||||||
hash_string = url + settings['server']['secret_key']
|
h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
|
||||||
h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest()
|
|
||||||
|
|
||||||
return '{0}?{1}'.format(url_for('image_proxy'),
|
return '{0}?{1}'.format(url_for('image_proxy'),
|
||||||
urlencode(dict(url=url.encode('utf-8'), h=h)))
|
urlencode(dict(url=url.encode('utf-8'), h=h)))
|
||||||
|
@ -599,7 +599,7 @@ def image_proxy():
|
||||||
if not url:
|
if not url:
|
||||||
return '', 400
|
return '', 400
|
||||||
|
|
||||||
h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest()
|
h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
|
||||||
|
|
||||||
if h != request.args.get('h'):
|
if h != request.args.get('h'):
|
||||||
return '', 400
|
return '', 400
|
||||||
|
|
Loading…
Reference in New Issue