TimestampSigner not working as expected when I use a - as separator
#62
Comments
|
I can't reproduce either error with the example given. If you got a signature expired, then you waited longer than 50 seconds before unsigning. |
|
Nope, I am not waiting more than 50 seconds, I am just checking instantly. Here is an video demo where I am just copy pasting repeatedly and you will see both the errors: http://gifyu.com/image/FHN |
|
I used the same code which I had posted earlier. Now I am not sure why its not generating error in your machine. |
|
Here's what I think is going on. A potential fix could be to check if the separator is part of the base64_urlsafe() charset and/or write that in the docs. How to reproduce. for i in xrange(100):
s = TimestampSigner('secret-key',sep='-')
mystr = s.sign('foo')
try:
s.unsign(mystr,max_age=200)
except:
raise
time.sleep(1)Example string foo-CmVi_g-pt8iji6JAw61H0EJm-bFJumhEZw (signature will be |
|
I fixed it exactly as @johnlam described. I'm not considering this API breakage because this sort of usage never worked. |
Version 1.1.0 ------------- Released 2018-10-26 - Change default signing algorithm back to SHA-1. (`#113`_) - Added a default SHA-512 fallback for users who used the yanked 1.0.0 release which defaulted to SHA-512. (`#114`_) - Add support for fallback algorithms during deserialization to support changing the default in the future without breaking existing signatures. (`#113`_) - Changed capitalization of packages back to lowercase as the change in capitalization broke some tooling. (`#113`_) .. _#113: pallets/itsdangerous#113 .. _#114: pallets/itsdangerous#114 Version 1.0.0 ------------- Released 2018-10-18 YANKED *Note*: This release was yanked from PyPI because it changed the default algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains at SHA1. - Drop support for Python 2.6 and 3.3. - Refactor code from a single module to a package. Any object in the API docs is still importable from the top-level ``itsdangerous`` name, but other imports will need to be changed. A future release will remove many of these compatibility imports. (`#107`_) - Optimize how timestamps are serialized and deserialized. (`#13`_) - ``base64_decode`` raises ``BadData`` when it is passed invalid data. (`#27`_) - Ensure value is bytes when signing to avoid a ``TypeError`` on Python 3. (`#29`_) - Add a ``serializer_kwargs`` argument to ``Serializer``, which is passed to ``dumps`` during ``dump_payload``. (`#36`_) - More compact JSON dumps for unicode strings. (`#38`_) - Use the full timestamp rather than an offset, allowing dates before 2011. (`#46`_) - Detect a ``sep`` character that may show up in the signature itself and raise a ``ValueError``. (`#62`_) - Use a consistent signature for keyword arguments for ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_) - Change default intermediate hash from SHA-1 to SHA-512. (`#80`_) - Convert JWS exp header to an int when loading. (`#99`_) .. _#13: pallets/itsdangerous#13 .. _#27: pallets/itsdangerous#27 .. _#29: pallets/itsdangerous#29 .. _#36: pallets/itsdangerous#36 .. _#38: pallets/itsdangerous#38 .. _#46: pallets/itsdangerous#46 .. _#62: pallets/itsdangerous#62 .. _#74: pallets/itsdangerous#74 .. _#75: pallets/itsdangerous#75 .. _#80: pallets/itsdangerous#80 .. _#99: pallets/itsdangerous#99 .. _#107: pallets/itsdangerous#107
To produce the error:
When I ran the above code multiple times in loop, I got following exceptions:
SignatureExpiredorBadTimeSignature.The text was updated successfully, but these errors were encountered: