[pve-devel] [PATCH 0/2] switch to hmac sha1 for csrf prevention token

Oguz Bektas o.bektas at proxmox.com
Mon Jun 17 12:41:35 CEST 2019


hi,

do not apply, i'll look into other algorithms to decide what's best

On Mon, Jun 17, 2019 at 11:53:52AM +0200, Oguz Bektas wrote:
> we use sha1 for generating our csrf token. switch to hmac sha1 for protection
> against length extension attacks and reduce possible collisions.
> 
> Oguz Bektas (1):
> 
> pve-access-control:
> 
>   use hmac_sha1 instead of sha1 for csrf token
> 
>  PVE/AccessControl.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> common:
> 
>   use hmac_sha1 instead of sha1 for csrf token
> 
>  src/PVE/Ticket.pm | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> 
> -- 
> 2.11.0
> 
> 




More information about the pve-devel mailing list