zaclys
/
searxng
mirror of https://github.com/searxng/searxng.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #663 from dalf/mod_secret_key 

changes about the secret_key
This commit is contained in:
Markus Heiser 2021-12-29 13:33:27 +01:00 committed by GitHub
parent 5cbbdc305f 8f3a7feb47
commit 7966fd3bbd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
searx/webapp.py
View File

@ -71,6 +71,7 @@ from searx.webutils import (
get_themes, get_themes,
prettify_url, prettify_url,
new_hmac, new_hmac,
is_hmac_of,
is_flask_run_cmdline, is_flask_run_cmdline,
) )
from searx.webadapter import ( from searx.webadapter import (
@ -1067,8 +1068,7 @@ def image_proxy():
if not url: if not url:
return '', 400 return '', 400
h = new_hmac(settings['server']['secret_key'], url.encode()) if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')):
if h != request.args.get('h'):
return '', 400 return '', 400
maximum_size = 5 * 1024 * 1024 maximum_size = 5 * 1024 * 1024

14
searx/webutils.py
View File

@ -77,14 +77,12 @@ def get_result_templates(templates_path):
def new_hmac(secret_key, url): def new_hmac(secret_key, url):
try: return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
secret_key_bytes = bytes(secret_key, 'utf-8')
except TypeError as err:
if isinstance(secret_key, bytes): def is_hmac_of(secret_key, value, hmac_to_check):
secret_key_bytes = secret_key hmac_of_value = new_hmac(secret_key, value)
else: return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check)
raise err
return hmac.new(secret_key_bytes, url, hashlib.sha256).hexdigest()
def prettify_url(url, max_length=74): def prettify_url(url, max_length=74):

14
tests/unit/test_webutils.py
View File

@ -78,10 +78,12 @@ class TestUnicodeWriter(SearxTestCase):
class TestNewHmac(SearxTestCase): class TestNewHmac(SearxTestCase):
def test_bytes(self): def test_bytes(self):
for secret_key in ['secret', b'secret', 1]: data = b'http://example.com'
if secret_key == 1: with self.assertRaises(AttributeError):
with self.assertRaises(TypeError): webutils.new_hmac(b'secret', data)
webutils.new_hmac(secret_key, b'http://example.com')
continue with self.assertRaises(AttributeError):
res = webutils.new_hmac(secret_key, b'http://example.com') webutils.new_hmac(1, data)
res = webutils.new_hmac('secret', data)
self.assertEqual(res, '23e2baa2404012a5cc8e4a18b4aabf0dde4cb9b56f679ddc0fd6d7c24339d819') self.assertEqual(res, '23e2baa2404012a5cc8e4a18b4aabf0dde4cb9b56f679ddc0fd6d7c24339d819')