[pve-devel] [PATCH 0/2] use hmac sha256 for csrf token generation/verification

Oguz Bektas o.bektas at proxmox.com
Mon Jun 17 14:15:22 CEST 2019


we use sha1 while generating our csrf token, switched to hmac sha256 as
suggested in owasp csrf cheatsheet[0].

[0]: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md#token-based-mitigation

pve-access-control:
Oguz Bektas (1):
  use hmac_sha256 instead of sha1 for csrf token

 PVE/AccessControl.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

pve-common:
Oguz Bektas (1):
  use hmac_sha256 instead of sha1 for csrf token

 src/PVE/Ticket.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

-- 
2.11.0





More information about the pve-devel mailing list