Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

catch possible TypeError and ValueError from serializer #205

Merged
merged 4 commits into from

2 participants

Jameson Matt Wright
Jameson

see issue #204

Matt Wright
Owner

When is this possible?

Jameson

Certain users could request for a reset password url (the resulting url was customized via config) and the resulting URL could cause the server to return a 503 due to TypeError exception being bubbled up from itsdangerous.

since the patch I now get a proper 200 with error message instead of the trace. I was able to reproduce the error on safari, chrome and ie9.

Matt Wright
Owner

Could you please write a test case for your situation?

Jameson

I will look into producing the test case (it's basically a mangled urlencode string)

Jameson

@mattupstate I produced the test, fails because python 3.3

Matt Wright
Owner

Thanks!

Matt Wright mattupstate merged commit f854c24 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 14 additions and 0 deletions.
  1. +4 −0 flask_security/utils.py
  2. +10 −0 tests/configured_tests.py
4 flask_security/utils.py
View
@@ -315,6 +315,10 @@ def get_token_status(token, serializer, max_age=None):
expired = True
except BadSignature:
invalid = True
+ except TypeError:
+ invalid = True
+ except ValueError:
+ invalid = True
if data:
user = _datastore.find_user(id=data[0])
10 tests/configured_tests.py
View
@@ -425,6 +425,16 @@ def test_reset_password_with_invalid_token(self):
m = self.get_message('INVALID_RESET_PASSWORD_TOKEN')
self.assertIn(m.encode('utf-8'), r.data)
+ def test_reset_password_with_mangled_token(self):
+ t = "WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd.BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d"
+ r = self._post('/reset/' + t, data={
+ 'password': 'newpassword',
+ 'password_confirm': 'newpassword'
+ }, follow_redirects=True)
+
+ m = self.get_message('INVALID_RESET_PASSWORD_TOKEN')
+ self.assertIn(m.encode('utf-8'), r.data)
+
class ExpiredResetPasswordTest(SecurityTest):
Something went wrong with that request. Please try again.