Improve encoding of strings. Addresses #231 and #253

pallets-eco · Jun 10, 2014 · 0a48997 · 0a48997
1 parent 96f1b3e
commit 0a48997
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/flask_security/utils.py b/flask_security/utils.py
@@ -99,13 +99,15 @@ def get_hmac(password):
 
     :param password: The password to sign
     """
-    if _security.password_salt is None:
+    salt = _security.password_salt
+
+    if salt is None:
         raise RuntimeError(
             'The configuration value `SECURITY_PASSWORD_SALT` must '
             'not be None when the value of `SECURITY_PASSWORD_HASH` is '
             'set to "%s"' % _security.password_hash)
 
-    h = hmac.new(_security.password_salt.encode('utf-8'), password.encode('utf-8'), hashlib.sha512)
+    h = hmac.new(encode_string(salt), encode_string(password), hashlib.sha512)
     return base64.b64encode(h.digest())
 
 
@@ -149,8 +151,18 @@ def encrypt_password(password):
     return _pwd_context.encrypt(signed)
 
 
+def encode_string(string):
+    """Encodes a string to bytes, if it isn't already.
+
+    :param string: The string to encode"""
+
+    if isinstance(string, text_type):
+        string = string.encode('utf-8')
+    return string
+
+
 def md5(data):
-    return hashlib.md5(data.encode('utf-8')).hexdigest()
+    return hashlib.md5(encode_string(data)).hexdigest()
 
 
 def do_flash(message, category=None):

diff --git a/tests/test_misc.py b/tests/test_misc.py
@@ -12,7 +12,7 @@
 from flask_security.forms import LoginForm, RegisterForm, ConfirmRegisterForm, \
     SendConfirmationForm, PasswordlessLoginForm, ForgotPasswordForm, ResetPasswordForm, \
     ChangePasswordForm, TextField, PasswordField, email_required, email_validator, valid_user_email
-from flask_security.utils import capture_reset_password_requests
+from flask_security.utils import capture_reset_password_requests, md5, string_types
 
 from utils import authenticate, init_app_with_options, populate_data
 
@@ -170,3 +170,19 @@ def test_change_hash_type(app, sqlalchemy_datastore):
 
     response = client.post('/login', data=dict(email='matt@lp.com', password='password'))
     assert response.status_code == 302
+
+
+def test_md5():
+    data = md5(b'hello')
+    assert isinstance(data, string_types)
+    data = md5(u'hellö')
+    assert isinstance(data, string_types)
+
+
+@pytest.mark.settings(password_salt=u'öööööööööööööööööööööööööööööööööö',
+                      password_hash='bcrypt')
+def test_password_unicode_password_salt(client):
+    response = authenticate(client)
+    assert response.status_code == 302
+    response = authenticate(client, follow_redirects=True)
+    assert b'Hello matt@lp.com' in response.data