now generates & verifies with hmac_sha1. also left the old digest format
for backwards compatibility during verification, to be removed at some
later time.
Signed-off-by: Oguz Bektas <o.bek...@proxmox.com>
---
src/PVE/Ticket.pm | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
index 5935ba5..629ec11 100644
--- a/src/PVE/Ticket.pm
+++ b/src/PVE/Ticket.pm
@@ -20,7 +20,7 @@ sub assemble_csrf_prevention_token {
my $timestamp = sprintf("%08X", time());
- my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+ my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username",
$secret);
return "$timestamp:$digest";
}
@@ -33,10 +33,13 @@ sub verify_csrf_prevention_token {
my $timestamp = $1;
my $ttime = hex($timestamp);
+ my $hmac_digest =
Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
+
+ # fallback
my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
my $age = time() - $ttime;
- return 1 if ($digest eq $sig) && ($age > $min_age) &&
+ return 1 if (($digest eq $sig) or ($hmac_digest eq $sig)) && ($age >
$min_age) &&
($age < $max_age);
}
--
2.11.0
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
