free
/
searx
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[enh] use HMAC for image proxy url verification

Adam Tauber 9 years ago
parent
e2245611d7
commit
19a6ca0b68
1 changed files with 5 additions and 5 deletions
Unified View Show Diff Stats
  1. 5
    5
      searx/webapp.py

+ 5
- 5
searx/webapp.py View File

22 
     from os.path import realpath, dirname
 22 
     from os.path import realpath, dirname
23 
     path.append(realpath(dirname(realpath(__file__)) + '/../'))
 23 
     path.append(realpath(dirname(realpath(__file__)) + '/../'))
24
24
25 
-import json
26 
 import cStringIO
 25 
 import cStringIO
27 
-import os
28 
 import hashlib
 26 
 import hashlib
27 
+import hmac
28 
+import json
29 
+import os
29 
 import requests
 30 
 import requests
30
31
31 
 from searx import logger
 32 
 from searx import logger
250 
     if not request.preferences.get_value('image_proxy'):
 251 
     if not request.preferences.get_value('image_proxy'):
251 
         return url
 252 
         return url
252
253
253 
-    hash_string = url + settings['server']['secret_key']
254 
-    h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest()
254 
+    h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
255
255
256 
     return '{0}?{1}'.format(url_for('image_proxy'),
 256 
     return '{0}?{1}'.format(url_for('image_proxy'),
257 
                             urlencode(dict(url=url.encode('utf-8'), h=h)))
 257 
                             urlencode(dict(url=url.encode('utf-8'), h=h)))
599 
     if not url:
 599 
     if not url:
600 
         return '', 400
 600 
         return '', 400
601
601
602 
-    h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest()
602 
+    h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
603
603
604 
     if h != request.args.get('h'):
 604 
     if h != request.args.get('h'):
605 
         return '', 400
 605 
         return '', 400