浏览代码

[enh] use HMAC for image proxy url verification

Adam Tauber 8 年前
父节点
当前提交
19a6ca0b68
共有 1 个文件被更改,包括 5 次插入5 次删除
  1. 5
    5
      searx/webapp.py

+ 5
- 5
searx/webapp.py 查看文件

@@ -22,10 +22,11 @@ if __name__ == '__main__':
22 22
     from os.path import realpath, dirname
23 23
     path.append(realpath(dirname(realpath(__file__)) + '/../'))
24 24
 
25
-import json
26 25
 import cStringIO
27
-import os
28 26
 import hashlib
27
+import hmac
28
+import json
29
+import os
29 30
 import requests
30 31
 
31 32
 from searx import logger
@@ -250,8 +251,7 @@ def image_proxify(url):
250 251
     if not request.preferences.get_value('image_proxy'):
251 252
         return url
252 253
 
253
-    hash_string = url + settings['server']['secret_key']
254
-    h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest()
254
+    h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
255 255
 
256 256
     return '{0}?{1}'.format(url_for('image_proxy'),
257 257
                             urlencode(dict(url=url.encode('utf-8'), h=h)))
@@ -599,7 +599,7 @@ def image_proxy():
599 599
     if not url:
600 600
         return '', 400
601 601
 
602
-    h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest()
602
+    h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
603 603
 
604 604
     if h != request.args.get('h'):
605 605
         return '', 400