[pve-devel] [PATCH 0/2] switch to hmac sha1 for csrf prevention token

Oguz Bektas o.bektas at proxmox.com
Mon Jun 17 11:53:52 CEST 2019


we use sha1 for generating our csrf token. switch to hmac sha1 for protection
against length extension attacks and reduce possible collisions.

Oguz Bektas (1):

pve-access-control:

  use hmac_sha1 instead of sha1 for csrf token

 PVE/AccessControl.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

common:

  use hmac_sha1 instead of sha1 for csrf token

 src/PVE/Ticket.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)


-- 
2.11.0





More information about the pve-devel mailing list