commit: 19a6ca0b68839e8d8903e99c336e1c1b1df624e1
parent: e2245611d78614555f59d0fe2cd4b94ce0b39b12
Author: Adam Tauber <asciimoo@gmail.com>
Date: Sun, 16 Oct 2016 23:40:56 +0200
[enh] use HMAC for image proxy url verification
Diffstat:
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/searx/webapp.py b/searx/webapp.py
@@ -22,10 +22,11 @@ if __name__ == '__main__':
from os.path import realpath, dirname
path.append(realpath(dirname(realpath(__file__)) + '/../'))
-import json
import cStringIO
-import os
import hashlib
+import hmac
+import json
+import os
import requests
from searx import logger
@@ -250,8 +251,7 @@ def image_proxify(url):
if not request.preferences.get_value('image_proxy'):
return url
- hash_string = url + settings['server']['secret_key']
- h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest()
+ h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
return '{0}?{1}'.format(url_for('image_proxy'),
urlencode(dict(url=url.encode('utf-8'), h=h)))
@@ -599,7 +599,7 @@ def image_proxy():
if not url:
return '', 400
- h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest()
+ h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
if h != request.args.get('h'):
return '', 400
