[pmg-devel] [PATCH api] use hmac_sha_256 for csrf token

Oguz Bektas o.bektas at proxmox.com
Thu Jul 25 12:36:47 CEST 2019


hi,

shouldn't we apply this for compatibility?

On Tue, Jun 18, 2019 at 04:37:02PM +0200, Oguz Bektas wrote:
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
> 
> analog change from PVE access-control and common, to switch the hashing function
> for csrf tokens with a secure alternative (HMAC SHA256).
> 
> i think no other change is needed, since we do verification from PVE stack. my
> previous patch series should be applied first.
> 
>  PMG/Ticket.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PMG/Ticket.pm b/PMG/Ticket.pm
> index c9cf096..b1408da 100644
> --- a/PMG/Ticket.pm
> +++ b/PMG/Ticket.pm
> @@ -139,7 +139,7 @@ my $read_csrf_secret = sub {
>  
>     my $input = <$fh>;
>  
> -   return Digest::SHA::sha1_base64($input);
> +   return Digest::SHA::hmac_sha256_base64($input);
>  };
>  
>  PVE::INotify::register_file('csrf_secret', $pmg_csrf_key_fn,
> -- 
> 2.11.0
> 
> 



More information about the pmg-devel mailing list