[enh] use HMAC for image proxy url verification

This commit is contained in:
Adam Tauber 2016-10-16 23:40:56 +02:00
parent e2245611d7
commit 19a6ca0b68

View file

@ -22,10 +22,11 @@ if __name__ == '__main__':
from os.path import realpath, dirname from os.path import realpath, dirname
path.append(realpath(dirname(realpath(__file__)) + '/../')) path.append(realpath(dirname(realpath(__file__)) + '/../'))
import json
import cStringIO import cStringIO
import os
import hashlib import hashlib
import hmac
import json
import os
import requests import requests
from searx import logger from searx import logger
@ -250,8 +251,7 @@ def image_proxify(url):
if not request.preferences.get_value('image_proxy'): if not request.preferences.get_value('image_proxy'):
return url return url
hash_string = url + settings['server']['secret_key'] h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
h = hashlib.sha256(hash_string.encode('utf-8')).hexdigest()
return '{0}?{1}'.format(url_for('image_proxy'), return '{0}?{1}'.format(url_for('image_proxy'),
urlencode(dict(url=url.encode('utf-8'), h=h))) urlencode(dict(url=url.encode('utf-8'), h=h)))
@ -599,7 +599,7 @@ def image_proxy():
if not url: if not url:
return '', 400 return '', 400
h = hashlib.sha256(url + settings['server']['secret_key'].encode('utf-8')).hexdigest() h = hmac.new(settings['server']['secret_key'], url, hashlib.sha256).hexdigest()
if h != request.args.get('h'): if h != request.args.get('h'):
return '', 400 return '', 400