From 17996cc8d5c2f8e9011905aaba300acf284ff692 Mon Sep 17 00:00:00 2001 From: Roland Mas Date: Fri, 26 Apr 2013 13:45:23 +0200 Subject: [PATCH] Updated copy of fusionforge.py with latest changes --- src/plugins/moinmoin/lib/fusionforge.py.fg_template | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/plugins/moinmoin/lib/fusionforge.py.fg_template b/src/plugins/moinmoin/lib/fusionforge.py.fg_template index 9df5d1e..2d55781 100644 --- a/src/plugins/moinmoin/lib/fusionforge.py.fg_template +++ b/src/plugins/moinmoin/lib/fusionforge.py.fg_template @@ -9,6 +9,7 @@ import base64 import hashlib +import hmac import logging import psycopg2 import re @@ -39,7 +40,7 @@ class FusionForgeLink(): self.cachedconfig[secname] = {} if varname not in self.cachedconfig[secname]: self.cachedconfig[secname][varname] = \ - subprocess.Popen(["@BINARY_PATH@/forge_get_config", + subprocess.Popen(["@BINARY_PATH@", varname, secname], stdout=subprocess.PIPE).communicate()[0].rstrip('\n') return self.cachedconfig[secname][varname] @@ -208,19 +209,21 @@ class FusionForgeSessionAuth(BaseAuth): cookievalue = \ urllib.unquote(cookies[cookiename]).decode('iso-8859-1') - m = re.search('(.*)-\*-(.*)', cookievalue) + m = re.search('^([A-Za-z0-9+/=]+)!([A-Za-z0-9+/=]+)$', cookievalue) if m is None: continue (sserial, shash) = m.group(1, 2) sdata = base64.b64decode(sserial) - if hashlib.md5(sdata + self.session_key).hexdigest() != shash: + shash = base64.b64decode(shash) + H = hmac.new(self.session_key, sdata, hashlib.sha256) + if H.digest() != shash: continue - m = re.search('(.*)-\*-(.*)-\*-(.*)-\*-(.*)', sdata) + m = re.search('(.*)<(.*)<(.*)<(.*)', sdata) if m is None: continue - (user_id, time, ip, user_agent) = m.group(1, 2, 3, 4) + (time, user_id, ip, user_agent) = m.group(1, 2, 3, 4) conn = self.fflink._conn cur = conn.cursor() -- 2.1.4