CHANSERV: fix batcher rc4 burning in password urls

[irc/quakenet/newserv.git] / chanserv / batcher / templates.py

diff --git a/chanserv/batcher/templates.py b/chanserv/batcher/templates.py
index 4a11f6f812a7570aa60dc543dda4fd5176c8b69e..648f39cddb913c974393d73238b111cb811d7361 100644 (file)
--- a/chanserv/batcher/templates.py
+++ b/chanserv/batcher/templates.py
@@ -12,7 +12,7 @@ except ImportError:
 
 def generate_url(config, obj):
   s = os.urandom(4)
-  r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest())
+  r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest(), burn=0)
   a = r.crypt(obj["user.password"])
   b = md5.md5(md5.md5("%s %s %s %s" % (config["urlsecret"], obj["user.username"], a, s)).hexdigest()).hexdigest()
   obj["url"] = "%s?m=%s&h=%s&u=%s&r=%s" % (config["url"], a.encode("hex"), b, obj["user.username"].encode("hex"), s.encode("hex"))
@@ -20,13 +20,15 @@ def generate_url(config, obj):
 def generate_activation_url(config, obj):
   r = os.urandom(16).encode("hex")
   uid = int(obj["user.id"])
+
+  r2 = RC4(sha256("rc4 %s %s" % (r, config["activationkey"])).hexdigest())
+  a = r2.crypt(obj["user.password"]).encode("hex")
+
   h = hmac.HMAC(sha256("hmac %s %s" % (r, config["activationkey"])).hexdigest())
-  h.update("%d %s %s" % (uid, obj["user.username"], obj["user.password"]))
+  h.update("%d %s %s" % (uid, obj["user.username"], a))
   hd = h.hexdigest()
 
-  r2 = RC4(sha256("rc4 %s %s" % (r, config["activationkey"])).hexdigest())
-  a = r2.crypt(obj["user.password"])
-  obj["url"] = "%s?id=%d&h=%s&r=%s&u=%s&p=%s" % (config["activationurl"], uid, hd, r, obj["user.username"].encode("hex"), a.encode("hex"))
+  obj["url"] = "%s?id=%d&h=%s&r=%s&u=%s&p=%s" % (config["activationurl"], uid, hd, r, obj["user.username"].encode("hex"), a)
 
 def generate_resetcode(config, obj):
   if obj["user.lockuntil"] == 0: