From a2d8454880cd4307d6cf300284c3c368c006ae08 Mon Sep 17 00:00:00 2001 From: Eva Date: Mon, 22 May 2023 11:38:24 +0200 Subject: [PATCH 1/2] server/posts: file sha1 in filenames and prevent offline secret cracking Imagine if we had a bunch of simple strings encrypted with the same key we use to salt passwords, publicly accessible, which would undermine our salting model by removing the requirement of filesystem access to crack our users' passwords, requiring only database access and offline cracking of our secret. Wouldn't that be fun? --- server/szurubooru/func/posts.py | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/server/szurubooru/func/posts.py b/server/szurubooru/func/posts.py index be2259cf..020ce60a 100644 --- a/server/szurubooru/func/posts.py +++ b/server/szurubooru/func/posts.py @@ -97,20 +97,12 @@ FLAG_MAP = { } -def get_post_security_hash(id: int) -> str: - return hmac.new( - config.config["secret"].encode("utf8"), - msg=str(id).encode("utf-8"), - digestmod="md5", - ).hexdigest()[0:16] - - def get_post_content_url(post: model.Post) -> str: assert post return "%s/posts/%d_%s.%s" % ( config.config["data_url"].rstrip("/"), post.post_id, - get_post_security_hash(post.post_id), + post.checksum, mime.get_extension(post.mime_type) or "dat", ) @@ -120,7 +112,7 @@ def get_post_thumbnail_url(post: model.Post) -> str: return "%s/generated-thumbnails/%d_%s.jpg" % ( config.config["data_url"].rstrip("/"), post.post_id, - get_post_security_hash(post.post_id), + post.checksum, ) @@ -129,7 +121,7 @@ def get_post_content_path(post: model.Post) -> str: assert post.post_id return "posts/%d_%s.%s" % ( post.post_id, - get_post_security_hash(post.post_id), + post.checksum, mime.get_extension(post.mime_type) or "dat", ) @@ -138,7 +130,7 @@ def get_post_thumbnail_path(post: model.Post) -> str: assert post return "generated-thumbnails/%d_%s.jpg" % ( post.post_id, - get_post_security_hash(post.post_id), + post.checksum, ) @@ -146,7 +138,7 @@ def get_post_thumbnail_backup_path(post: model.Post) -> str: assert post return "posts/custom-thumbnails/%d_%s.dat" % ( post.post_id, - get_post_security_hash(post.post_id), + post.checksum, ) From 90cc0b3d596c5abde5c2206d52ed96c58aeefe32 Mon Sep 17 00:00:00 2001 From: Eva Date: Mon, 22 May 2023 11:53:23 +0200 Subject: [PATCH 2/2] client/posts: remove cache buster query string on post file change Since filenames now use the new file's sha1. --- client/js/controls/post_content_control.js | 1 - client/js/models/post.js | 7 ------- 2 files changed, 8 deletions(-) diff --git a/client/js/controls/post_content_control.js b/client/js/controls/post_content_control.js index 55daca76..e33c7b42 100644 --- a/client/js/controls/post_content_control.js +++ b/client/js/controls/post_content_control.js @@ -88,7 +88,6 @@ class PostContentControl { _evtPostContentChange(e) { this._post = e.detail.post; - this._post.mutateContentUrl(); this._reinstall(); } diff --git a/client/js/models/post.js b/client/js/models/post.js index 2fb3d34c..7d4e27df 100644 --- a/client/js/models/post.js +++ b/client/js/models/post.js @@ -454,13 +454,6 @@ class Post extends events.EventTarget { }); } - mutateContentUrl() { - this._contentUrl = - this._orig._contentUrl + - "?bypass-cache=" + - Math.round(Math.random() * 1000); - } - _updateFromResponse(response) { const map = () => ({ _version: response.version,