[pmg-devel] [PATCH api] use hmac_sha_256 for csrf token
Oguz Bektas
o.bektas at proxmox.com
Thu Jul 25 13:33:47 CEST 2019
On Thu, Jul 25, 2019 at 01:30:15PM +0200, Thomas Lamprecht wrote:
> On 7/25/19 12:36 PM, Oguz Bektas wrote:
> > hi,
> >
> > shouldn't we apply this for compatibility?
>
> Yes, that's why I requested it from you ;-)
i've sent it last month :)
>
> Did you also test this? And if, how did you test it?
i did not, but this is the only place where we have anything to do with
the ticket/csrf token. the rest is taken from PVE stack which already
works.
i can test it if you like, and let you know today.
>
> >
> > On Tue, Jun 18, 2019 at 04:37:02PM +0200, Oguz Bektas wrote:
> >> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> >> ---
> >>
> >> analog change from PVE access-control and common, to switch the hashing function
> >> for csrf tokens with a secure alternative (HMAC SHA256).
> >>
> >> i think no other change is needed, since we do verification from PVE stack. my
> >> previous patch series should be applied first.
> >>
> >> PMG/Ticket.pm | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
> >> index c9cf096..b1408da 100644
> >> --- a/PMG/Ticket.pm
> >> +++ b/PMG/Ticket.pm
> >> @@ -139,7 +139,7 @@ my $read_csrf_secret = sub {
> >>
> >> my $input = <$fh>;
> >>
> >> - return Digest::SHA::sha1_base64($input);
> >> + return Digest::SHA::hmac_sha256_base64($input);
> >> };
> >>
> >> PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
> >> --
> >> 2.11.0
> >>
> >>
More information about the pmg-devel
mailing list