[pve-devel] [PATCH v4 0/3] use hmac_sha256 instead of sha1 for csrf token

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jun 19 12:36:46 CEST 2019


On 6/19/19 9:39 AM, Oguz Bektas wrote:
> we use sha1 while generating our csrf token, switched to hmac sha256 as
> suggested in owasp csrf cheatsheet[0].
> 
> [0]: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md#token-based-mitigation
> 
> pve-access-control:
> Oguz Bektas (1):
>   use hmac_sha256 instead of sha1 for csrf token
> 
>  PVE/AccessControl.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> pve-common:
> Oguz Bektas (2):
>   add fallback/new csrf token recognition
>   use hmac_sha256 when assembling csrf token
> 
>  src/PVE/Ticket.pm | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> 

applied series, thanks!
the "add fallback/new csrf token recognition" also to stable-5




More information about the pve-devel mailing list