From d7848702097ca6a3e8630ca6d46210abf7314673 Mon Sep 17 00:00:00 2001
From: Alexandre Flament <alex@al-f.net>
Date: Tue, 28 Dec 2021 08:36:31 +0100
Subject: [PATCH] [fix] use hmac.compare_digest instead of ==

see https://docs.python.org/3/library/hmac.html#hmac.HMAC.hexdigest
---
 searx/webapp.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/searx/webapp.py b/searx/webapp.py
index a7812f181..788e0d24f 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -1067,8 +1067,9 @@ def image_proxy():
     if not url:
         return '', 400
 
-    h = new_hmac(settings['server']['secret_key'], url.encode())
-    if h != request.args.get('h'):
+    h_url = new_hmac(settings['server']['secret_key'], url.encode())
+    h_args = request.args.get('h')
+    if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args):
         return '', 400
 
     maximum_size = 5 * 1024 * 1024