Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

_create_identifier returns a value that is not serializable to JSON #31

Closed
jeremypenner opened this Issue · 5 comments

6 participants

@jeremypenner

After becoming aware that Flask, by default, pickles its session object, and thus is vulnerable to remote execution if someone discovers your secret key ( see http://stacksmashing.net/2012/08/10/dear-flask-please-fix-your-secure-cookies/ ), I tried to switch to using itsdangerous for session management as detailed at http://flask.pocoo.org/snippets/51/ .

Unfortunately, this fails, because _create_identifier returns the raw MD5 digest in bytes, which can't be represented as a Unicode string, and thus serialized to JSON. I can work around this with a custom serializer, but it would be nice if there were at least an option to base64 encode this value or something.

@maxcountryman

This definitely needs to be fixed. Thanks for pointing this out.

@sederek

Would changing line 136 with this help?

return hsh.hexdigest()

Or is it more than just this?

@xsleonard

@sederek yes thats all

@romabysen

Could we have an fix and a new release? This problem is a bit of a bummer if you want to use itsdangerous sessions.
Gist with the fix here: git://gist.github.com/3731115.git

@BobDickinson

I also ran into this issue. My production environment only allows me to use the PyPi version, so I had to monkey patch _create_identifier in my "itsdangerous" session implementation (creepy, but works fine).

@ameily ameily referenced this issue
Closed

New PyPi Release #59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.