fixes #2677: secure way of sharing dmails

2016-12-05 16:20:25 -08:00
parent b68ded2796
commit bfa1ac63a4
2 changed files with 6 additions and 4 deletions
--- a/app/models/dmail.rb
+++ b/app/models/dmail.rb
@@ -86,7 +86,7 @@ class Dmail < ActiveRecord::Base
    end
    
    def method_attributes
-      super + [:hash]
+      super + [:key]
    end
  end
  
@@ -222,12 +222,13 @@ class Dmail < ActiveRecord::Base
    end
  end
  
-  def hash
-    Digest::SHA1.hexdigest("#{title} #{body}")
+  def key
+    digest = OpenSSL::Digest.new("sha256")
+    OpenSSL::HMAC.hexdigest(digest, Danbooru.config.email_key, "#{title} #{body}")
  end
  
  def visible_to?(user, key)
-    owner_id == user.id || (user.is_moderator? && key == self.hash)
+    owner_id == user.id || (user.is_moderator? && key == self.key)
  end

 end