logo

searx

Unnamed repository; edit this file 'description' to name the repository.
commit: 19a6ca0b68839e8d8903e99c336e1c1b1df624e1
parent: e2245611d78614555f59d0fe2cd4b94ce0b39b12
Author: Adam Tauber <asciimoo@gmail.com>
Date:   Sun, 16 Oct 2016 23:40:56 +0200

[enh] use HMAC for image proxy url verification

Diffstat:

searx/webapp.py | 10+++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/searx/webapp.py b/searx/webapp.py @@ -22,10 +22,11 @@ if __name__ == '__main__': from os.path import realpath, dirname path.append(realpath(dirname(realpath(__file__)) + '/../')) -import json import cStringIO -import os import hashlib +import hmac +import json +import os import requests from searx import logger @@ -250,8 +251,7 @@ def image_proxify(url): if not request.preferences.get_value('image_proxy'): return url - hash_string = url + settings['server']['secret_key'] - h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest() + h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest() return '{0}?{1}'.format(url_for('image_proxy'), urlencode(dict(url=url.encode('utf-8'), h=h))) @@ -599,7 +599,7 @@ def image_proxy(): if not url: return '', 400 - h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest() + h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest() if h != request.args.get('h'): return '', 400