Replace all base64 decoding errors with BadData. #27
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
+1 |
|
+1 - I had someone use a unicode dash instead of a minus in a URL, threw Incorrect Padding instead of a signature related exception. |
|
I'm on board with the exception fix, but why is there an unrelated change that makes invalid data into valid tokens? |
|
It's not unrelated, but I guess the PR's name implies a smaller scope. Characters that are invalid base64 are first ignored, then decoding proceeds. Decoding could still fail because of bad data, though. |
|
That's not something that should happen. Invalid data is invalid, the fact that removing some characters might produce a valid signature doesn't matter. If that's something you want to happen, write a custom Serializer subclass (although you should probably fix the thing sending you bad data instead). |
|
Rebased with just the exception handling in ec69312. |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Nov 10, 2018
Version 1.1.0 ------------- Released 2018-10-26 - Change default signing algorithm back to SHA-1. (`#113`_) - Added a default SHA-512 fallback for users who used the yanked 1.0.0 release which defaulted to SHA-512. (`#114`_) - Add support for fallback algorithms during deserialization to support changing the default in the future without breaking existing signatures. (`#113`_) - Changed capitalization of packages back to lowercase as the change in capitalization broke some tooling. (`#113`_) .. _#113: pallets/itsdangerous#113 .. _#114: pallets/itsdangerous#114 Version 1.0.0 ------------- Released 2018-10-18 YANKED *Note*: This release was yanked from PyPI because it changed the default algorithm to SHA-512. This decision was reverted in 1.1.0 and it remains at SHA1. - Drop support for Python 2.6 and 3.3. - Refactor code from a single module to a package. Any object in the API docs is still importable from the top-level ``itsdangerous`` name, but other imports will need to be changed. A future release will remove many of these compatibility imports. (`#107`_) - Optimize how timestamps are serialized and deserialized. (`#13`_) - ``base64_decode`` raises ``BadData`` when it is passed invalid data. (`#27`_) - Ensure value is bytes when signing to avoid a ``TypeError`` on Python 3. (`#29`_) - Add a ``serializer_kwargs`` argument to ``Serializer``, which is passed to ``dumps`` during ``dump_payload``. (`#36`_) - More compact JSON dumps for unicode strings. (`#38`_) - Use the full timestamp rather than an offset, allowing dates before 2011. (`#46`_) - Detect a ``sep`` character that may show up in the signature itself and raise a ``ValueError``. (`#62`_) - Use a consistent signature for keyword arguments for ``Serializer.load_payload`` in subclasses. (`#74`_, `#75`_) - Change default intermediate hash from SHA-1 to SHA-512. (`#80`_) - Convert JWS exp header to an int when loading. (`#99`_) .. _#13: pallets/itsdangerous#13 .. _#27: pallets/itsdangerous#27 .. _#29: pallets/itsdangerous#29 .. _#36: pallets/itsdangerous#36 .. _#38: pallets/itsdangerous#38 .. _#46: pallets/itsdangerous#46 .. _#62: pallets/itsdangerous#62 .. _#74: pallets/itsdangerous#74 .. _#75: pallets/itsdangerous#75 .. _#80: pallets/itsdangerous#80 .. _#99: pallets/itsdangerous#99 .. _#107: pallets/itsdangerous#107
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Perhaps Exception is not the best thing to catch.