[pve-devel] [PATCH v3 0/2] use hmac_sha256 instead of sha1 for csrf token
Oguz Bektas
o.bektas at proxmox.com
Tue Jun 18 15:19:14 CEST 2019
we use sha1 while generating our csrf token, switched to hmac sha256 as
suggested in owasp csrf cheatsheet[0].
[0]: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md#token-based-mitigation
pve-access-control:
Oguz Bektas (1):
use hmac_sha256 instead of sha1 for csrf token
PVE/AccessControl.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
pve-common:
Oguz Bektas (1):
use hmac_sha256 instead of sha1 for csrf token
src/PVE/Ticket.pm | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--
2.11.0
More information about the pve-devel
mailing list