forked from zaclys/searxng
[mod] implement is_hmac_of() in webutils / close to new_hmac()
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>, Alexandre Flament
This commit is contained in:
parent
7d4834ac4d
commit
8f3a7feb47
|
@ -71,6 +71,7 @@ from searx.webutils import (
|
||||||
get_themes,
|
get_themes,
|
||||||
prettify_url,
|
prettify_url,
|
||||||
new_hmac,
|
new_hmac,
|
||||||
|
is_hmac_of,
|
||||||
is_flask_run_cmdline,
|
is_flask_run_cmdline,
|
||||||
)
|
)
|
||||||
from searx.webadapter import (
|
from searx.webadapter import (
|
||||||
|
@ -1067,9 +1068,7 @@ def image_proxy():
|
||||||
if not url:
|
if not url:
|
||||||
return '', 400
|
return '', 400
|
||||||
|
|
||||||
h_url = new_hmac(settings['server']['secret_key'], url.encode())
|
if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')):
|
||||||
h_args = request.args.get('h')
|
|
||||||
if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args):
|
|
||||||
return '', 400
|
return '', 400
|
||||||
|
|
||||||
maximum_size = 5 * 1024 * 1024
|
maximum_size = 5 * 1024 * 1024
|
||||||
|
|
|
@ -80,6 +80,11 @@ def new_hmac(secret_key, url):
|
||||||
return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
|
return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
|
||||||
|
|
||||||
|
|
||||||
|
def is_hmac_of(secret_key, value, hmac_to_check):
|
||||||
|
hmac_of_value = new_hmac(secret_key, value)
|
||||||
|
return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check)
|
||||||
|
|
||||||
|
|
||||||
def prettify_url(url, max_length=74):
|
def prettify_url(url, max_length=74):
|
||||||
if len(url) > max_length:
|
if len(url) > max_length:
|
||||||
chunk_len = int(max_length / 2 + 1)
|
chunk_len = int(max_length / 2 + 1)
|
||||||
|
|
Loading…
Reference in New Issue