morty icon indicating copy to clipboard operation
morty copied to clipboard

Published 20 hours ago verified publisher icon asciimoo

key parameter is not hexadecimal encoded

Open josch opened this issue 6 years ago • 0 comments

Hi,

the help text for the key parameter is not hexadecimal encoded as the help text suggests:

  -key string
    	HMAC url validation key (hexadecimal encoded) - leave blank to disable

proof:

$ morty -listen 127.0.0.1:3000 -key foobar
$ echo -n 'http://127.0.0.1:8000/' | openssl dgst -sha256 -hmac foobar
$ curl 'http://127.0.0.1:3000/?mortyurl=http://127.0.0.1:8000/&mortyhash=047a8c0a42af40750448bc8b72221e70751d23b82bd973feae03207be0630650'

This suggests that the value of -key is not hexadecimal encoded but just taken as its raw binary value. Another indication for this conclusion is this bug I field to searx: https://github.com/asciimoo/searx/issues/1310 To give searx the right key, I had to base64-encode the ascii representation of the key and did not need to turn a hexadecimal key to binary directly.

josch avatar May 31 '18 06:05 josch