exception in itsdangerous.py

[zykis]

Hey, guys!
I've passed a wrong token into TimedJSONWebSignatureSerializer::loads and got an exception in itsdangerous.py:380.
Here is a traceback:

Traceback (most recent call last):

  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 2000, in __call__
    return self.wsgi_app(environ, start_response)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1991, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1567, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app
    response = self.full_dispatch_request()
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request
    rv = self.dispatch_request()
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask_httpauth.py", line 86, in decorated
    if not self.authenticate(auth, password):
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/flask_httpauth.py", line 123, in authenticate
    return self.verify_password_callback(username, client_password)
  File "/Users/artem/projects/DotaAsker/server/app/views.py", line 41, in verify_password
    user = User.verify_auth_token(username_or_token)
  File "/Users/artem/projects/DotaAsker/server/app/models.py", line 146, in verify_auth_token
    data = s.loads(token)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 795, in loads
    self, s, salt, return_header=True)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 749, in loads
    self.make_signer(salt, self.algorithm).unsign(want_bytes(s)),
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 368, in unsign
    if sep not in signed_value:
TypeError: argument of type 'NoneType' is not iterable

I've just expecting it to throw a BadSignature, but it seems that code didn't reach that line. Any suggestions?

[davidism]

Please include a minimal example that reproduces the issue.

[zykis]

Well, actually it's my fault.
I am really passing None to Serializer::loads somehow.

from itsdangerous import TimedJSONWebSignatureSerializer as Serializer
s = Serializer('sadlk21lkmsadhaaw')
data = s.loads(None)

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 795, in loads
    self, s, salt, return_header=True)
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 749, in loads
    self.make_signer(salt, self.algorithm).unsign(want_bytes(s)),
  File "/Users/artem/projects/DotaAsker/server/flask/lib/python2.7/site-packages/itsdangerous.py", line 368, in unsign
    if sep not in signed_value:
TypeError: argument of type 'NoneType' is not iterable

[untitaker]

Not sure if this warrants a better error message... but maybe something to consider if more reports like this are coming up.