CHANSERV: fix batcher rc4 burning in password urls

--HG--
branch : chanserv-live

diff --git a/chanserv/batcher/rc4.py b/chanserv/batcher/rc4.py
index 7fd8b468520532e5b2c9140d457dc75b050e1582..655eb542a91e88d1a77b7cdcd770505bb7344749 100644 (file)
--- a/chanserv/batcher/rc4.py
+++ b/chanserv/batcher/rc4.py
@@ -1,5 +1,5 @@
 class RC4:
-  def __init__(self, key, burn=0):
+  def __init__(self, key, burn=4096):
     s = range(256)
     for i in xrange(256):
       s[i] = i
@@ -8,7 +8,9 @@ class RC4:
       j = (j + s[i] + ord(key[i % len(key)])) % 256
       s[j], s[i] = s[i], s[j]
     self.__s = s
-#    self.crypt("\x00" * burn)
+
+    if burn:
+      self.crypt("\x00" * burn)
 
   def crypt(self, data):
     ret = []
@@ -20,5 +22,3 @@ class RC4:
       self.__s[i], self.__s[j] = self.__s[j], self.__s[i]
       ret.append(chr(ord(data[r]) ^ self.__s[(self.__s[i] + self.__s[j]) % 256]))
     return "".join(ret)
-
-

diff --git a/chanserv/batcher/templates.py b/chanserv/batcher/templates.py
index 4eedd0a217f2af013d11da3d9d2691fbbf81ce27..648f39cddb913c974393d73238b111cb811d7361 100644 (file)
--- a/chanserv/batcher/templates.py
+++ b/chanserv/batcher/templates.py
@@ -12,7 +12,7 @@ except ImportError:
 
 def generate_url(config, obj):
   s = os.urandom(4)
-  r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest())
+  r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest(), burn=0)
   a = r.crypt(obj["user.password"])
   b = md5.md5(md5.md5("%s %s %s %s" % (config["urlsecret"], obj["user.username"], a, s)).hexdigest()).hexdigest()
   obj["url"] = "%s?m=%s&h=%s&u=%s&r=%s" % (config["url"], a.encode("hex"), b, obj["user.username"].encode("hex"), s.encode("hex"))