blob: d6e515ed95d9bd9305c32085d998b89a1f0f7b1d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
import hmac
import hashlib
from deprecated import deprecated
from flask import url_for
from wqflask import app
@deprecated("This function leads to circular imports. "
"If possible use wqflask.decorators.create_hmac instead.")
def hmac_creation(stringy):
"""Helper function to create the actual hmac"""
secret = app.config['SECRET_HMAC_CODE']
hmaced = hmac.new(bytearray(secret, "latin-1"),
bytearray(stringy, "utf-8"),
hashlib.sha1)
hm = hmaced.hexdigest()
# ZS: Leaving the below comment here to ask Pjotr about
# "Conventional wisdom is that you don't lose much in terms of security if you throw away up to half of the output."
# http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
hm = hm[:20]
return hm
def data_hmac(stringy):
"""Takes arbitrary data string and appends :hmac so we know data hasn't been tampered with"""
return stringy + ":" + hmac_creation(stringy)
def url_for_hmac(endpoint, **values):
"""Like url_for but adds an hmac at the end to insure the url hasn't been tampered with"""
url = url_for(endpoint, **values)
hm = hmac_creation(url)
if '?' in url:
combiner = "&"
else:
combiner = "?"
return url + combiner + "hm=" + hm
app.jinja_env.globals.update(url_for_hmac=url_for_hmac,
data_hmac=data_hmac)
|
