`TimestampSigner` not working as expected when I use a `-` as separator #62
Comments
|
I can't reproduce either error with the example given. If you got a signature expired, then you waited longer than 50 seconds before unsigning. |
|
Nope, I am not waiting more than 50 seconds, I am just checking instantly. Here is an video demo where I am just copy pasting repeatedly and you will see both the errors: http://gifyu.com/image/FHN |
|
I used the same code which I had posted earlier. Now I am not sure why its not generating error in your machine. |
|
Here's what I think is going on. A potential fix could be to check if the separator is part of the base64_urlsafe() charset and/or write that in the docs. How to reproduce. for i in xrange(100):
s = TimestampSigner('secret-key',sep='-')
mystr = s.sign('foo')
try:
s.unsign(mystr,max_age=200)
except:
raise
time.sleep(1)Example string foo-CmVi_g-pt8iji6JAw61H0EJm-bFJumhEZw (signature will be |
|
I fixed it exactly as @johnlam described. I'm not considering this API breakage because this sort of usage never worked. |
Version 1.1.0
-------------
Released 2018-10-26
- Change default signing algorithm back to SHA-1. (`#113`_)
- Added a default SHA-512 fallback for users who used the yanked 1.0.0
release which defaulted to SHA-512. (`#114`_)
- Add support for fallback algorithms during deserialization to
support changing the default in the future without breaking existing
signatures. (`#113`_)
- Changed capitalization of packages back to lowercase as the change
in capitalization broke some tooling. (`#113`_)
.. _#113: pallets/itsdangerous#113
.. _#114: pallets/itsdangerous#114
Version 1.0.0
-------------
Released 2018-10-18
YANKED
*Note*: This release was yanked from PyPI because it changed the default
algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains
at SHA1.
- Drop support for Python 2.6 and 3.3.
- Refactor code from a single module to a package. Any object in the
API docs is still importable from the top-level ``itsdangerous``
name, but other imports will need to be changed. A future release
will remove many of these compatibility imports. (`#107`_)
- Optimize how timestamps are serialized and deserialized. (`#13`_)
- ``base64_decode`` raises ``BadData`` when it is passed invalid data.
(`#27`_)
- Ensure value is bytes when signing to avoid a ``TypeError`` on
Python 3. (`#29`_)
- Add a ``serializer_kwargs`` argument to ``Serializer``, which is
passed to ``dumps`` during ``dump_payload``. (`#36`_)
- More compact JSON dumps for unicode strings. (`#38`_)
- Use the full timestamp rather than an offset, allowing dates before
2011. (`#46`_)
- Detect a ``sep`` character that may show up in the signature itself
and raise a ``ValueError``. (`#62`_)
- Use a consistent signature for keyword arguments for
``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_)
- Change default intermediate hash from SHA-1 to SHA-512. (`#80`_)
- Convert JWS exp header to an int when loading. (`#99`_)
.. _#13: pallets/itsdangerous#13
.. _#27: pallets/itsdangerous#27
.. _#29: pallets/itsdangerous#29
.. _#36: pallets/itsdangerous#36
.. _#38: pallets/itsdangerous#38
.. _#46: pallets/itsdangerous#46
.. _#62: pallets/itsdangerous#62
.. _#74: pallets/itsdangerous#74
.. _#75: pallets/itsdangerous#75
.. _#80: pallets/itsdangerous#80
.. _#99: pallets/itsdangerous#99
.. _#107: pallets/itsdangerous#107
To produce the error:
When I ran the above code multiple times in loop, I got following exceptions:
SignatureExpiredorBadTimeSignature.The text was updated successfully, but these errors were encountered: