[pmg-devel] [PATCH api] use hmac_sha_256 for csrf token

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Jul 25 13:30:15 CEST 2019


On 7/25/19 12:36 PM, Oguz Bektas wrote:
> hi,
> 
> shouldn't we apply this for compatibility?

Yes, that's why I requested it from you ;-)

Did you also test this? And if, how did you test it?

> 
> On Tue, Jun 18, 2019 at 04:37:02PM +0200, Oguz Bektas wrote:
>> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
>> ---
>>
>> analog change from PVE access-control and common, to switch the hashing function
>> for csrf tokens with a secure alternative (HMAC SHA256).
>>
>> i think no other change is needed, since we do verification from PVE stack. my
>> previous patch series should be applied first.
>>
>>  PMG/Ticket.pm | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
>> index c9cf096..b1408da 100644
>> --- a/PMG/Ticket.pm
>> +++ b/PMG/Ticket.pm
>> @@ -139,7 +139,7 @@ my $read_csrf_secret = sub {
>>  
>>     my $input = <$fh>;
>>  
>> -   return Digest::SHA::sha1_base64($input);
>> +   return Digest::SHA::hmac_sha256_base64($input);
>>  };
>>  
>>  PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
>> -- 
>> 2.11.0
>>
>>



More information about the pmg-devel mailing list