[pve-devel] [PATCH v3 access-control 1/2] use hmac_sha256 instead of sha1 for csrf token

Oguz Bektas o.bektas at proxmox.com
Tue Jun 18 15:19:15 CEST 2019


Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
 PVE/AccessControl.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 5de060d..499f0be 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -212,7 +212,7 @@ my $csrf_prevention_secret;
 my $get_csrfr_secret = sub {
     if (!$csrf_prevention_secret) {
 	my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
-	$csrf_prevention_secret = Digest::SHA::sha1_base64($input);
+	$csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input);
     }
     return $csrf_prevention_secret;
 };
-- 
2.11.0





More information about the pve-devel mailing list