morty
morty copied to clipboard
key parameter is not hexadecimal encoded
Hi,
the help text for the key parameter is not hexadecimal encoded as the help text suggests:
-key string
HMAC url validation key (hexadecimal encoded) - leave blank to disable
proof:
$ morty -listen 127.0.0.1:3000 -key foobar
$ echo -n 'http://127.0.0.1:8000/' | openssl dgst -sha256 -hmac foobar
$ curl 'http://127.0.0.1:3000/?mortyurl=http://127.0.0.1:8000/&mortyhash=047a8c0a42af40750448bc8b72221e70751d23b82bd973feae03207be0630650'
This suggests that the value of -key
is not hexadecimal encoded but just taken as its raw binary value. Another indication for this conclusion is this bug I field to searx: https://github.com/asciimoo/searx/issues/1310 To give searx the right key, I had to base64-encode the ascii representation of the key and did not need to turn a hexadecimal key to binary directly.