[mod] implement is_hmac_of() in webutils / close to new_hmac()

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>, Alexandre Flament
This commit is contained in:
Markus Heiser 2021-12-28 13:44:28 +01:00 committed by Alexandre Flament
parent 7d4834ac4d
commit 8f3a7feb47
2 changed files with 7 additions and 3 deletions

View File

@ -71,6 +71,7 @@ from searx.webutils import (
get_themes, get_themes,
prettify_url, prettify_url,
new_hmac, new_hmac,
is_hmac_of,
is_flask_run_cmdline, is_flask_run_cmdline,
) )
from searx.webadapter import ( from searx.webadapter import (
@ -1067,9 +1068,7 @@ def image_proxy():
if not url: if not url:
return '', 400 return '', 400
h_url = new_hmac(settings['server']['secret_key'], url.encode()) if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')):
h_args = request.args.get('h')
if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args):
return '', 400 return '', 400
maximum_size = 5 * 1024 * 1024 maximum_size = 5 * 1024 * 1024

View File

@ -80,6 +80,11 @@ def new_hmac(secret_key, url):
return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest() return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
def is_hmac_of(secret_key, value, hmac_to_check):
hmac_of_value = new_hmac(secret_key, value)
return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check)
def prettify_url(url, max_length=74): def prettify_url(url, max_length=74):
if len(url) > max_length: if len(url) > max_length:
chunk_len = int(max_length / 2 + 1) chunk_len = int(max_length / 2 + 1)