[pve-devel] [PATCH common 1/3] add fallback/new csrf token recognition
Oguz Bektas
o.bektas at proxmox.com
Wed Jun 19 09:39:31 CEST 2019
Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
src/PVE/Ticket.pm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
index 5935ba5..b5d2758 100644
--- a/src/PVE/Ticket.pm
+++ b/src/PVE/Ticket.pm
@@ -33,7 +33,13 @@ sub verify_csrf_prevention_token {
my $timestamp = $1;
my $ttime = hex($timestamp);
- my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+ my $digest;
+ if (length($sig) == 27) {
+ # detected sha1 csrf token from older proxy, switching to fallback. FIXME: remove with 7.0
+ $digest = Digest::SHA::sha1_base64("$timestamp:$username", "$secret");
+ } else {
+ $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", "$secret");
+ }
my $age = time() - $ttime;
return 1 if ($digest eq $sig) && ($age > $min_age) &&
--
2.11.0
More information about the pve-devel
mailing list