changeset 6128:561b7a9c2bd9

fix wrong digestmod of hmac.new calls stdlib default is md5, but we need sha1. this bug was introduced when removing python_compatibility module usage in changeset 500f68d3e2fd594b2f4ea4a272b828a07d9eac1d.
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 01 Nov 2016 17:56:32 +0100
parents af23cef9675c
children 7f12cf241d5e
files MoinMoin/action/cache.py MoinMoin/security/textcha.py MoinMoin/user.py MoinMoin/wikiutil.py
diffstat 4 files changed, 8 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/cache.py	Mon Oct 31 22:58:54 2016 +0100
+++ b/MoinMoin/action/cache.py	Tue Nov 01 17:56:32 2016 +0100
@@ -28,7 +28,7 @@
 """
 
 from datetime import datetime
-import hmac
+import hmac, hashlib
 
 from MoinMoin import log
 logging = log.getLogger(__name__)
@@ -99,7 +99,7 @@
         raise AssertionError('cache_key called with unsupported parameters')
 
     hmac_data = hmac_data.encode('utf-8')
-    key = hmac.new(secret, hmac_data).hexdigest()
+    key = hmac.new(secret, hmac_data, digestmod=hashlib.sha1).hexdigest()
     return key
 
 
--- a/MoinMoin/security/textcha.py	Mon Oct 31 22:58:54 2016 +0100
+++ b/MoinMoin/security/textcha.py	Tue Nov 01 17:56:32 2016 +0100
@@ -19,7 +19,7 @@
     @copyright: 2007 by MoinMoin:ThomasWaldmann
     @license: GNU GPL, see COPYING for details.
 """
-import hmac
+import hmac, hashlib
 import re
 import random
 
@@ -84,7 +84,7 @@
 
     def _compute_signature(self, question, timestamp):
         signature = u"%s%d" % (question, timestamp)
-        return hmac.new(self.secret, signature.encode('utf-8')).hexdigest()
+        return hmac.new(self.secret, signature.encode('utf-8'), digestmod=hashlib.sha1).hexdigest()
 
     def _init_qa(self, question=None):
         """ Initialize the question / answer.
--- a/MoinMoin/user.py	Mon Oct 31 22:58:54 2016 +0100
+++ b/MoinMoin/user.py	Tue Nov 01 17:56:32 2016 +0100
@@ -1260,7 +1260,7 @@
     def generate_recovery_token(self):
         key = random_string(64, "abcdefghijklmnopqrstuvwxyz0123456789")
         msg = str(int(time.time()))
-        h = hmac.new(key, msg).hexdigest()
+        h = hmac.new(key, msg, digestmod=hashlib.sha1).hexdigest()
         self.recoverpass_key = key
         self.save()
         return msg + '-' + h
@@ -1278,7 +1278,7 @@
             return False
         # check hmac
         # key must be of type string
-        h = hmac.new(str(self.recoverpass_key), str(stamp)).hexdigest()
+        h = hmac.new(str(self.recoverpass_key), str(stamp), digestmod=hashlib.sha1).hexdigest()
         if not safe_str_equal(h, parts[1]):
             return False
         self.recoverpass_key = ""
--- a/MoinMoin/wikiutil.py	Mon Oct 31 22:58:54 2016 +0100
+++ b/MoinMoin/wikiutil.py	Tue Nov 01 17:56:32 2016 +0100
@@ -12,7 +12,7 @@
 
 import cgi
 import codecs
-import hmac
+import hmac, hashlib
 import os
 import re
 import time
@@ -2530,7 +2530,7 @@
         hmac_data.append(value)
 
     h = hmac.new(request.cfg.secrets['wikiutil/tickets'],
-                 ''.join(hmac_data))
+                 ''.join(hmac_data), digestmod=hashlib.sha1)
     return "%s.%s" % (tm, h.hexdigest())