[fix] use hmac.compare_digest instead of ==

see https://docs.python.org/3/library/hmac.html#hmac.HMAC.hexdigest
2021-12-28 08:36:31 +01:00 · 2021-12-28 08:36:31 +01:00 · d784870209
parent c6922ae7c5
commit d784870209
1 changed files with 3 additions and 2 deletions
--- a/searx/webapp.py
+++ b/searx/webapp.py
@ -1067,8 +1067,9 @@ def image_proxy():
    if not url:
        return '', 400

-    h = new_hmac(settings['server']['secret_key'], url.encode())
-    if h != request.args.get('h'):
+    h_url = new_hmac(settings['server']['secret_key'], url.encode())
+    h_args = request.args.get('h')
+    if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args):
        return '', 400

    maximum_size = 5 * 1024 * 1024