[pmg-devel] [PATCH api] use hmac_sha_256 for csrf token

Oguz Bektas o.bektas at proxmox.com
Tue Jun 18 16:37:02 CEST 2019


Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---

analog change from PVE access-control and common, to switch the hashing function
for csrf tokens with a secure alternative (HMAC SHA256).

i think no other change is needed, since we do verification from PVE stack. my
previous patch series should be applied first.

 PMG/Ticket.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
index c9cf096..b1408da 100644
--- a/PMG/Ticket.pm
+++ b/PMG/Ticket.pm
@@ -139,7 +139,7 @@ my $read_csrf_secret = sub {
 
    my $input = <$fh>;
 
-   return Digest::SHA::sha1_base64($input);
+   return Digest::SHA::hmac_sha256_base64($input);
 };
 
 PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
-- 
2.11.0




More information about the pmg-devel mailing list