From: Chris Porter Date: Mon, 28 Dec 2015 02:00:16 +0000 (+0000) Subject: CHANSERV: fix batcher rc4 burning in password urls X-Git-Url: https://jfr.im/git/irc/quakenet/newserv.git/commitdiff_plain/bb7068406b133eabb3f61f1eaf36c45236464fe1 CHANSERV: fix batcher rc4 burning in password urls --HG-- branch : chanserv-live --- diff --git a/chanserv/batcher/rc4.py b/chanserv/batcher/rc4.py index 7fd8b468..655eb542 100644 --- a/chanserv/batcher/rc4.py +++ b/chanserv/batcher/rc4.py @@ -1,5 +1,5 @@ class RC4: - def __init__(self, key, burn=0): + def __init__(self, key, burn=4096): s = range(256) for i in xrange(256): s[i] = i @@ -8,7 +8,9 @@ class RC4: j = (j + s[i] + ord(key[i % len(key)])) % 256 s[j], s[i] = s[i], s[j] self.__s = s -# self.crypt("\x00" * burn) + + if burn: + self.crypt("\x00" * burn) def crypt(self, data): ret = [] @@ -20,5 +22,3 @@ class RC4: self.__s[i], self.__s[j] = self.__s[j], self.__s[i] ret.append(chr(ord(data[r]) ^ self.__s[(self.__s[i] + self.__s[j]) % 256])) return "".join(ret) - - diff --git a/chanserv/batcher/templates.py b/chanserv/batcher/templates.py index 4eedd0a2..648f39cd 100644 --- a/chanserv/batcher/templates.py +++ b/chanserv/batcher/templates.py @@ -12,7 +12,7 @@ except ImportError: def generate_url(config, obj): s = os.urandom(4) - r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest()) + r = RC4(md5.md5("%s %s" % (s, config["urlkey"])).hexdigest(), burn=0) a = r.crypt(obj["user.password"]) b = md5.md5(md5.md5("%s %s %s %s" % (config["urlsecret"], obj["user.username"], a, s)).hexdigest()).hexdigest() obj["url"] = "%s?m=%s&h=%s&u=%s&r=%s" % (config["url"], a.encode("hex"), b, obj["user.username"].encode("hex"), s.encode("hex"))