diff options
| author | Alexandre Flament <alex@al-f.net> | 2021-12-28 08:36:31 +0100 |
|---|---|---|
| committer | Alexandre Flament <alex@al-f.net> | 2021-12-28 08:36:31 +0100 |
| commit | d7848702097ca6a3e8630ca6d46210abf7314673 (patch) | |
| tree | 8f859641d463e252fd31e02e7842811ccfa3b0d2 | |
| parent | c6922ae7c5e53f695d5f5f8704b10b4e2815cda4 (diff) | |
| download | searxng-d7848702097ca6a3e8630ca6d46210abf7314673.tar.gz searxng-d7848702097ca6a3e8630ca6d46210abf7314673.zip | |
[fix] use hmac.compare_digest instead of ==
see https://docs.python.org/3/library/hmac.html#hmac.HMAC.hexdigest
| -rwxr-xr-x | searx/webapp.py | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/searx/webapp.py b/searx/webapp.py index a7812f181..788e0d24f 100755 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -1067,8 +1067,9 @@ def image_proxy(): if not url: return '', 400 - h = new_hmac(settings['server']['secret_key'], url.encode()) - if h != request.args.get('h'): + h_url = new_hmac(settings['server']['secret_key'], url.encode()) + h_args = request.args.get('h') + if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args): return '', 400 maximum_size = 5 * 1024 * 1024 |