diff options
| author | Markus Heiser <markus.heiser@darmarit.de> | 2021-12-28 13:44:28 +0100 |
|---|---|---|
| committer | Alexandre Flament <alex@al-f.net> | 2021-12-28 23:04:06 +0100 |
| commit | 8f3a7feb47a84344a190ce83e629afde1181f6ae (patch) | |
| tree | 08866a29d69af2693912e554b7b7dd9baa0e300b /searx/webapp.py | |
| parent | 7d4834ac4dd708b87187caff8eb59e783e8c2111 (diff) | |
| download | searxng-8f3a7feb47a84344a190ce83e629afde1181f6ae.tar.gz searxng-8f3a7feb47a84344a190ce83e629afde1181f6ae.zip | |
[mod] implement is_hmac_of() in webutils / close to new_hmac()
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>, Alexandre Flament
Diffstat (limited to 'searx/webapp.py')
| -rwxr-xr-x | searx/webapp.py | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/searx/webapp.py b/searx/webapp.py index 788e0d24f..a2aa84d9d 100755 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -71,6 +71,7 @@ from searx.webutils import ( get_themes, prettify_url, new_hmac, + is_hmac_of, is_flask_run_cmdline, ) from searx.webadapter import ( @@ -1067,9 +1068,7 @@ def image_proxy(): if not url: return '', 400 - h_url = new_hmac(settings['server']['secret_key'], url.encode()) - h_args = request.args.get('h') - if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args): + if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')): return '', 400 maximum_size = 5 * 1024 * 1024 |