From f81b955aa542697bf07487ce103f26cd8e3bcfe3 Mon Sep 17 00:00:00 2001 From: Martin Zimmermann Date: Wed, 18 Dec 2013 10:57:12 +0100 Subject: [PATCH] use SHA1 instead of MD5 to verify comment owner --- isso/views/comments.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/isso/views/comments.py b/isso/views/comments.py index 4d8183a..1321193 100644 --- a/isso/views/comments.py +++ b/isso/views/comments.py @@ -21,8 +21,8 @@ from isso.utils.crypto import pbkdf2 from isso.views import requires -def md5(text): - return hashlib.md5(text.encode('utf-8')).hexdigest() +def sha1(text): + return hashlib.sha1(text.encode('utf-8')).hexdigest() class JSON(Response): @@ -166,7 +166,7 @@ class API(object): self.signal("comments.new:after-save", thread, rv) cookie = functools.partial(dump_cookie, - value=self.isso.sign([rv["id"], md5(rv["text"])]), + value=self.isso.sign([rv["id"], sha1(rv["text"])]), max_age=self.conf.getint('max-age')) rv["text"] = markdown(rv["text"]) @@ -211,7 +211,7 @@ class API(object): raise Forbidden # verify checksum, mallory might skip cookie deletion when he deletes a comment - if rv[1] != md5(self.comments.get(id)["text"]): + if rv[1] != sha1(self.comments.get(id)["text"]): raise Forbidden data = request.get_json() @@ -233,7 +233,7 @@ class API(object): self.signal("comments.edit", rv) cookie = functools.partial(dump_cookie, - value=self.isso.sign([rv["id"], md5(rv["text"])]), + value=self.isso.sign([rv["id"], sha1(rv["text"])]), max_age=self.conf.getint('max-age')) rv["text"] = markdown(rv["text"]) @@ -255,7 +255,7 @@ class API(object): raise Forbidden # verify checksum, mallory might skip cookie deletion when he deletes a comment - if rv[1] != md5(self.comments.get(id)["text"]): + if rv[1] != sha1(self.comments.get(id)["text"]): raise Forbidden item = self.comments.get(id)