You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
In my code, this happens because the Serializer is called from another function that has a salt keyword argument that is set to None, something along the lines of:
fromitsdangerous.serializerimportSerializerdefinit_serializer_old(secret, salt=None):
# do stuffreturnSerializer(secret, salt)
Naively I now changed the code to only pass the salt keyword argument on if it is not None, something along the lines of:
fromitsdangerous.serializerimportSerializerdefinit_serializer_new(secret, salt=None):
kwargs= {}
ifsalt:
kwargs['salt'] =salt# do stuffreturnSerializer(secret, **kwargs)
Using that though, generates a different signature, than the first code snippet above:
It turns out that this is because both Serializer and Signer provide a default value for the salt argument, b"itsdangerous" and b"itsdangerous.Signer" respectively. However in 1.1.0 Signer accepted None as a salt and if so would use the value b"itsdangerous.Signer". This is no longer the case due to this change: aed5b26#diff-1d0e89827237bbe1bf2e65ff4801829cb4737a4679b4f14edaddd4b0414030cdL137
If I no longer pass None in version 2.0.0 as the salt, the default is taken from Serializer and is therefore different from when I explicitly passed None in 1.1.0 and it was taken from Signer. This can be fixed in my own code fairly easily:
fromitsdangerous.serializerimportSerializerdefinit_serializer_new_v2(secret, salt=b"itsdangerous.Signer"):
# do stuffreturnSerializer(secret, salt)
We caught this in our tests, but others may not be so lucky, so I at least wanted to document this new behaviour here.
Environment:
Python version: python3.8
ItsDangerous version: 2.0.0
The text was updated successfully, but these errors were encountered:
I didn't think using None just to replace it with a string made sense, typically the "default None" pattern is used for mutable or complex defaults. I also didn't expect users to be passing None, either they would not pass it and get the serializer's default b"itsdangerous", or they would pass it explicitly and get that value for namespace purposes.
Since it can affect the validity of tokens, I'll make a bugfix release. However, I'd recommend you set an explicit default regardless, as it makes more sense to set a default namespace that is related to your own project.
Hi,
Not sure if this is anything you want to fix, but I wanted to at least highlight the issue:
Calling
Serializer
in 1.1.0 with a salt set toNone
used to work fine:but in version 2.0.0 this throws an exception:
In my code, this happens because the
Serializer
is called from another function that has a salt keyword argument that is set toNone
, something along the lines of:Naively I now changed the code to only pass the salt keyword argument on if it is not
None
, something along the lines of:Using that though, generates a different signature, than the first code snippet above:
It turns out that this is because both
Serializer
andSigner
provide a default value for the salt argument,b"itsdangerous"
andb"itsdangerous.Signer"
respectively. However in 1.1.0Signer
acceptedNone
as a salt and if so would use the valueb"itsdangerous.Signer"
. This is no longer the case due to this change:aed5b26#diff-1d0e89827237bbe1bf2e65ff4801829cb4737a4679b4f14edaddd4b0414030cdL137
If I no longer pass
None
in version 2.0.0 as the salt, the default is taken fromSerializer
and is therefore different from when I explicitly passedNone
in 1.1.0 and it was taken fromSigner
. This can be fixed in my own code fairly easily:We caught this in our tests, but others may not be so lucky, so I at least wanted to document this new behaviour here.
Environment:
The text was updated successfully, but these errors were encountered: