From a2d8454880cd4307d6cf300284c3c368c006ae08 Mon Sep 17 00:00:00 2001
From: Eva <evauwu@riseup.net>
Date: Mon, 22 May 2023 11:38:24 +0200
Subject: [PATCH] server/posts: file sha1 in filenames and prevent offline
 secret cracking Imagine if we had a bunch of simple strings encrypted with
 the same key we use to salt passwords, publicly accessible, which would
 undermine our salting model by removing the requirement of filesystem access
 to crack our users' passwords, requiring only database access and offline
 cracking of our secret. Wouldn't that be fun?

---
 server/szurubooru/func/posts.py | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/server/szurubooru/func/posts.py b/server/szurubooru/func/posts.py
index be2259cf..020ce60a 100644
--- a/server/szurubooru/func/posts.py
+++ b/server/szurubooru/func/posts.py
@@ -97,20 +97,12 @@ FLAG_MAP = {
 }
 
 
-def get_post_security_hash(id: int) -> str:
-    return hmac.new(
-        config.config["secret"].encode("utf8"),
-        msg=str(id).encode("utf-8"),
-        digestmod="md5",
-    ).hexdigest()[0:16]
-
-
 def get_post_content_url(post: model.Post) -> str:
     assert post
     return "%s/posts/%d_%s.%s" % (
         config.config["data_url"].rstrip("/"),
         post.post_id,
-        get_post_security_hash(post.post_id),
+        post.checksum,
         mime.get_extension(post.mime_type) or "dat",
     )
 
@@ -120,7 +112,7 @@ def get_post_thumbnail_url(post: model.Post) -> str:
     return "%s/generated-thumbnails/%d_%s.jpg" % (
         config.config["data_url"].rstrip("/"),
         post.post_id,
-        get_post_security_hash(post.post_id),
+        post.checksum,
     )
 
 
@@ -129,7 +121,7 @@ def get_post_content_path(post: model.Post) -> str:
     assert post.post_id
     return "posts/%d_%s.%s" % (
         post.post_id,
-        get_post_security_hash(post.post_id),
+        post.checksum,
         mime.get_extension(post.mime_type) or "dat",
     )
 
@@ -138,7 +130,7 @@ def get_post_thumbnail_path(post: model.Post) -> str:
     assert post
     return "generated-thumbnails/%d_%s.jpg" % (
         post.post_id,
-        get_post_security_hash(post.post_id),
+        post.checksum,
     )
 
 
@@ -146,7 +138,7 @@ def get_post_thumbnail_backup_path(post: model.Post) -> str:
     assert post
     return "posts/custom-thumbnails/%d_%s.dat" % (
         post.post_id,
-        get_post_security_hash(post.post_id),
+        post.checksum,
     )