X-Git-Url: https://git.proxmox.com/?p=pve-common.git;a=blobdiff_plain;f=src%2FPVE%2FTicket.pm;h=c5508edd17aabca076a020c3a62c8c666b014595;hp=b5d275862754710889964d00c3b6cd6ebe9f5e3c;hb=HEAD;hpb=62fc2ad81e95fd553d5487874160003e998cc2d6

diff --git a/src/PVE/Ticket.pm b/src/PVE/Ticket.pm
index b5d2758..c5508ed 100644
--- a/src/PVE/Ticket.pm
+++ b/src/PVE/Ticket.pm
@@ -8,6 +8,7 @@ use Crypt::OpenSSL::RSA;
 use MIME::Base64;
 use Digest::SHA;
 use Time::HiRes qw(gettimeofday);
+use URI::Escape;
 
 use PVE::Exception qw(raise);
 
@@ -20,7 +21,7 @@ sub assemble_csrf_prevention_token {
 
     my $timestamp = sprintf("%08X", time());
 
-    my $digest = Digest::SHA::sha1_base64("$timestamp:$username", $secret);
+    my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
 
     return "$timestamp:$digest";
 }
@@ -33,13 +34,7 @@ sub verify_csrf_prevention_token {
 	my $timestamp = $1;
 	my $ttime = hex($timestamp);
 
-	my $digest;
-	if (length($sig) == 27) {
-	    # detected sha1 csrf token from older proxy, switching to fallback. FIXME: remove with 7.0
-	    $digest = Digest::SHA::sha1_base64("$timestamp:$username", "$secret");
-	} else {
-	    $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", "$secret");
-	}
+	my $digest = Digest::SHA::hmac_sha256_base64("$timestamp:$username", $secret);
 
 	my $age = time() - $ttime;
 	return 1 if ($digest eq $sig) && ($age > $min_age) &&
@@ -60,7 +55,10 @@ sub assemble_rsa_ticket {
 
     my $plain = "$prefix:";
 
-    $plain .= "$data:" if defined($data);
+    if (defined($data)) {
+	$data = uri_escape($data, ':');
+	$plain .= "$data:";
+    }
 
     $plain .= $timestamp;
 
@@ -88,6 +86,10 @@ sub verify_rsa_ticket {
 
 		my $age = time() - $ttime;
 
+		if (defined($data)) {
+		    $data = uri_unescape($data);
+		}
+
 		if (($age > $min_age) && ($age < $max_age)) {
 		    if (defined($data)) {
 			return wantarray ? ($data, $age) : $data;