NTab仓库
fjmwkj
/
searxng
mirror of https://github.com/searxng/searxng
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[fix] use hmac.compare_digest instead of ==

see https://docs.python.org/3/library/hmac.html#hmac.HMAC.hexdigest
Alexandre Flament 3 years ago
parent
c6922ae7c5
commit
d784870209
1 changed files with 3 additions and 2 deletions
Unified View Show Diff Stats
  1. 3 2
      searx/webapp.py

+ 3 - 2
searx/webapp.py
View File 

@@ -1067,8 +1067,9 @@ def image_proxy():
 
     if not url:
 
     if not url:
 
         return '', 400
 
         return '', 400
 
 
 
-    h = new_hmac(settings['server']['secret_key'], url.encode())
 
-    if h != request.args.get('h'):
 
+    h_url = new_hmac(settings['server']['secret_key'], url.encode())
 
+    h_args = request.args.get('h')
 
+    if len(h_url) != len(h_args) or not hmac.compare_digest(h_url, h_args):
 
         return '', 400
 
         return '', 400
 
 
 
     maximum_size = 5 * 1024 * 1024
 
     maximum_size = 5 * 1024 * 1024

© 2025 NTab仓库
Page: 471ms Template: 210ms 微信 微信二维码 哔哩哔哩 Sina Weibo Javascript Licenses Website