[pmg-devel] [PATCH api] use hmac_sha_256 for csrf token
Oguz Bektas
o.bektas at proxmox.com
Thu Jul 25 12:36:47 CEST 2019
hi,
shouldn't we apply this for compatibility?
On Tue, Jun 18, 2019 at 04:37:02PM +0200, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>
> analog change from PVE access-control and common, to switch the hashing function
> for csrf tokens with a secure alternative (HMAC SHA256).
>
> i think no other change is needed, since we do verification from PVE stack. my
> previous patch series should be applied first.
>
> PMG/Ticket.pm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
> index c9cf096..b1408da 100644
> --- a/PMG/Ticket.pm
> +++ b/PMG/Ticket.pm
> @@ -139,7 +139,7 @@ my $read_csrf_secret = sub {
>
> my $input = <$fh>;
>
> - return Digest::SHA::sha1_base64($input);
> + return Digest::SHA::hmac_sha256_base64($input);
> };
>
> PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
> --
> 2.11.0
>
>
More information about the pmg-devel
mailing list