/itsdangerous

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

`TimestampSigner` not working as expected when I use a `-` as separator #62

Closed
avinassh opened this Issue May 19, 2016 · 5 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
  1.0.0
4 participants
@avinassh @davidism @johnlam @untitaker
@avinassh

avinassh commented May 19, 2016

To produce the error:

from itsdangerous import TimestampSigner
s = TimestampSigner('secret-key', sep='-')
string = s.sign('foo')
s.unsign(string, max_age=50)

When I ran the above code multiple times in loop, I got following exceptions: SignatureExpired or BadTimeSignature.
@davidism

This comment has been minimized.

Sign in to view
Member

davidism commented May 19, 2016

I can't reproduce either error with the example given. If you got a signature expired, then you waited longer than 50 seconds before unsigning.
@avinassh

This comment has been minimized.

Sign in to view

avinassh commented May 19, 2016

Nope, I am not waiting more than 50 seconds, I am just checking instantly. Here is an video demo where I am just copy pasting repeatedly and you will see both the errors: http://gifyu.com/image/FHN
@avinassh

This comment has been minimized.

Sign in to view

avinassh commented May 20, 2016

I used the same code which I had posted earlier. Now I am not sure why its not generating error in your machine.
@johnlam

This comment has been minimized.

Sign in to view

johnlam commented Jul 11, 2016

Here's what I think is going on.
The signature will be urlsafe_b64encode()d .
So part of the signature (and/or part of the timestamp) might contain your separator - , which would result in either a wrong timestamp or a wrong signature.

A potential fix could be to check if the separator is part of the base64_urlsafe() charset and/or write that in the docs.

How to reproduce.

for i in xrange(100):
    s = TimestampSigner('secret-key',sep='-')
    mystr = s.sign('foo')
    try:
        s.unsign(mystr,max_age=200)
    except:
        raise
    time.sleep(1)

Example string foo-CmVi_g-pt8iji6JAw61H0EJm-bFJumhEZw (signature will be bFJumhEZw instead of pt8iji6JAw61H0EJm-bFJumhEZw)

@untitaker untitaker closed this in ce5e2cd Aug 21, 2016

@untitaker

This comment has been minimized.

Sign in to view
Member

untitaker commented Aug 21, 2016

I fixed it exactly as @johnlam described. I'm not considering this API breakage because this sort of usage never worked.

@davidism davidism added this to the 1.0.0 milestone Sep 28, 2018

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 10, 2018

@kleink
Update py-itsdangerous to 1.1.0. 
Version 1.1.0
-------------

Released 2018-10-26

-   Change default signing algorithm back to SHA-1. (`#113`_)
-   Added a default SHA-512 fallback for users who used the yanked 1.0.0
    release which defaulted to SHA-512. (`#114`_)
-   Add support for fallback algorithms during deserialization to
    support changing the default in the future without breaking existing
    signatures. (`#113`_)
-   Changed capitalization of packages back to lowercase as the change
    in capitalization broke some tooling. (`#113`_)

.. _#113: pallets/itsdangerous#113
.. _#114: pallets/itsdangerous#114


Version 1.0.0
-------------

Released 2018-10-18

YANKED

*Note*: This release was yanked from PyPI because it changed the default
algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains
at SHA1.

-   Drop support for Python 2.6 and 3.3.
-   Refactor code from a single module to a package. Any object in the
    API docs is still importable from the top-level ``itsdangerous``
    name, but other imports will need to be changed. A future release
    will remove many of these compatibility imports. (`#107`_)
-   Optimize how timestamps are serialized and deserialized. (`#13`_)
-   ``base64_decode`` raises ``BadData`` when it is passed invalid data.
    (`#27`_)
-   Ensure value is bytes when signing to avoid a ``TypeError`` on
    Python 3. (`#29`_)
-   Add a ``serializer_kwargs`` argument to ``Serializer``, which is
    passed to ``dumps`` during ``dump_payload``. (`#36`_)
-   More compact JSON dumps for unicode strings. (`#38`_)
-   Use the full timestamp rather than an offset, allowing dates before
    2011. (`#46`_)
-   Detect a ``sep`` character that may show up in the signature itself
    and raise a ``ValueError``. (`#62`_)
-   Use a consistent signature for keyword arguments for
    ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_)
-   Change default intermediate hash from SHA-1 to SHA-512. (`#80`_)
-   Convert JWS exp header to an int when loading. (`#99`_)

.. _#13: pallets/itsdangerous#13
.. _#27: pallets/itsdangerous#27
.. _#29: pallets/itsdangerous#29
.. _#36: pallets/itsdangerous#36
.. _#38: pallets/itsdangerous#38
.. _#46: pallets/itsdangerous#46
.. _#62: pallets/itsdangerous#62
.. _#74: pallets/itsdangerous#74
.. _#75: pallets/itsdangerous#75
.. _#80: pallets/itsdangerous#80
.. _#99: pallets/itsdangerous#99
.. _#107: pallets/itsdangerous#107
8dba0d6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment