diff options
| author | Adam Tauber <asciimoo@gmail.com> | 2016-10-16 23:40:56 +0200 |
|---|---|---|
| committer | Adam Tauber <asciimoo@gmail.com> | 2016-10-16 23:41:33 +0200 |
| commit | 19a6ca0b68839e8d8903e99c336e1c1b1df624e1 (patch) | |
| tree | fe0cac616bc079e25baeafe3d6dc12c066a77f2d /searx | |
| parent | e2245611d78614555f59d0fe2cd4b94ce0b39b12 (diff) | |
| download | searxng-19a6ca0b68839e8d8903e99c336e1c1b1df624e1.tar.gz searxng-19a6ca0b68839e8d8903e99c336e1c1b1df624e1.zip | |
[enh] use HMAC for image proxy url verification
Diffstat (limited to 'searx')
| -rw-r--r-- | searx/webapp.py | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/searx/webapp.py b/searx/webapp.py index 5bdbc71a6..962367c84 100644 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -22,10 +22,11 @@ if __name__ == '__main__': from os.path import realpath, dirname path.append(realpath(dirname(realpath(__file__)) + '/../')) -import json import cStringIO -import os import hashlib +import hmac +import json +import os import requests from searx import logger @@ -250,8 +251,7 @@ def image_proxify(url): if not request.preferences.get_value('image_proxy'): return url - hash_string = url + settings['server']['secret_key'] - h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest() + h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest() return '{0}?{1}'.format(url_for('image_proxy'), urlencode(dict(url=url.encode('utf-8'), h=h))) @@ -599,7 +599,7 @@ def image_proxy(): if not url: return '', 400 - h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest() + h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest() if h != request.args.get('h'): return '', 400 |