use hmac_sha256 instead of sha1 for csrf token

author Oguz Bektas <o.bektas@proxmox.com>

Wed, 19 Jun 2019 07:39:33 +0000 (09:39 +0200)

committer Thomas Lamprecht <t.lamprecht@proxmox.com>

Wed, 19 Jun 2019 10:01:51 +0000 (12:01 +0200)
author Oguz Bektas <o.bektas@proxmox.com>
Wed, 19 Jun 2019 07:39:33 +0000 (09:39 +0200)
committer Thomas Lamprecht <t.lamprecht@proxmox.com>
Wed, 19 Jun 2019 10:01:51 +0000 (12:01 +0200)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm

index 6ac99ac28d716d321d2778bfd4e80f441701044d..e3f90eefbf6256ec3f37f033d30af31f848a245b 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -215,7 +215,7 @@ my $csrf_prevention_secret;
  my $get_csrfr_secret = sub {
      if (!$csrf_prevention_secret) {
         my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
-       $csrf_prevention_secret = Digest::SHA::sha1_base64($input);
+       $csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input);
      }
      return $csrf_prevention_secret;
  };
author	Oguz Bektas <o.bektas@proxmox.com>
	Wed, 19 Jun 2019 07:39:33 +0000 (09:39 +0200)
committer	Thomas Lamprecht <t.lamprecht@proxmox.com>
	Wed, 19 Jun 2019 10:01:51 +0000 (12:01 +0200)