Merge pull request #663 from dalf/mod_secret_key

changes about the secret_key
author: Markus Heiser <markus.heiser@darmarIT.de> 2021-12-29 13:33:27 +0100
committer: GitHub <noreply@github.com> 2021-12-29 13:33:27 +0100
commit: 7966fd3bbdee448d5f4b532231d69310b4f91563 (patch)
tree: 8bd8d530e7cb56ec511ef7f8d9071398516ba94a /searx
parent: 5cbbdc305f08ff11d9b59fbf95743ebe99cf3dbf (diff)
parent: 8f3a7feb47a84344a190ce83e629afde1181f6ae (diff)
download: searxng-7966fd3bbdee448d5f4b532231d69310b4f91563.tar.gz
searxng-7966fd3bbdee448d5f4b532231d69310b4f91563.zip
2 files changed, 8 insertions, 10 deletions
diff --git a/searx/webapp.py b/searx/webapp.py
index a7812f181..a2aa84d9d 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -71,6 +71,7 @@ from searx.webutils import (
     get_themes,
     prettify_url,
     new_hmac,
+    is_hmac_of,
     is_flask_run_cmdline,
 )
 from searx.webadapter import (
@@ -1067,8 +1068,7 @@ def image_proxy():
     if not url:
         return '', 400
 
-    h = new_hmac(settings['server']['secret_key'], url.encode())
-    if h != request.args.get('h'):
+    if not is_hmac_of(settings['server']['secret_key'], url.encode(), request.args.get('h', '')):
         return '', 400
 
     maximum_size = 5 * 1024 * 1024
diff --git a/searx/webutils.py b/searx/webutils.py
index 737e5a82f..068582858 100644
--- a/searx/webutils.py
+++ b/searx/webutils.py
@@ -77,14 +77,12 @@ def get_result_templates(templates_path):
 
 
 def new_hmac(secret_key, url):
-    try:
-        secret_key_bytes = bytes(secret_key, 'utf-8')
-    except TypeError as err:
-        if isinstance(secret_key, bytes):
-            secret_key_bytes = secret_key
-        else:
-            raise err
-    return hmac.new(secret_key_bytes, url, hashlib.sha256).hexdigest()
+    return hmac.new(secret_key.encode(), url, hashlib.sha256).hexdigest()
+
+
+def is_hmac_of(secret_key, value, hmac_to_check):
+    hmac_of_value = new_hmac(secret_key, value)
+    return len(hmac_of_value) == len(hmac_to_check) and hmac.compare_digest(hmac_of_value, hmac_to_check)
 
 
 def prettify_url(url, max_length=74):
author	Markus Heiser <markus.heiser@darmarIT.de>	2021-12-29 13:33:27 +0100
committer	GitHub <noreply@github.com>	2021-12-29 13:33:27 +0100
commit	7966fd3bbdee448d5f4b532231d69310b4f91563 (patch)
tree	8bd8d530e7cb56ec511ef7f8d9071398516ba94a /searx
parent	5cbbdc305f08ff11d9b59fbf95743ebe99cf3dbf (diff)
parent	8f3a7feb47a84344a190ce83e629afde1181f6ae (diff)
download	searxng-7966fd3bbdee448d5f4b532231d69310b4f91563.tar.gz searxng-7966fd3bbdee448d5f4b532231d69310b4f91563.zip