Skip to content

Commit

Permalink
Forbid unsafe separators
Browse files Browse the repository at this point in the history
Fix #62
  • Loading branch information
untitaker committed Aug 21, 2016
1 parent 10d5489 commit ce5e2cd
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
13 changes: 12 additions & 1 deletion itsdangerous.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
:copyright: (c) 2011 by Armin Ronacher and the Django Software Foundation.
:license: BSD, see LICENSE for more details.
"""
import string
import struct
import sys
import hmac
Expand Down Expand Up @@ -215,6 +216,11 @@ def base64_decode(string):
raise BadData('Invalid base64-encoded data')


# The alphabet used by base64.urlsafe_*
_base64_alphabet = (
string.ascii_letters + string.digits + '-_='
).encode('ascii')

_int64_struct = struct.Struct('>Q')
_int_to_bytes = _int64_struct.pack
_bytes_to_int = _int64_struct.unpack
Expand Down Expand Up @@ -306,7 +312,12 @@ class constructor.
def __init__(self, secret_key, salt=None, sep='.', key_derivation=None,
digest_method=None, algorithm=None):
self.secret_key = want_bytes(secret_key)
self.sep = sep
self.sep = want_bytes(sep)
if self.sep in _base64_alphabet:
raise ValueError('The given separator cannot be used because it '
'may be contained in the signature itself. '
'Alphanumeric characters and `-_=` must not be '
'used.')
self.salt = 'itsdangerous.Signer' if salt is None else salt
if key_derivation is None:
key_derivation = self.default_key_derivation
Expand Down
6 changes: 6 additions & 0 deletions tests.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#!/usr/bin/env python
import time
import pickle
import pytest
import hashlib
import unittest
from datetime import datetime
Expand Down Expand Up @@ -37,6 +38,11 @@ def test_sign(self):
s = self.make_signer('secret-key')
assert isinstance(s.sign('my string'), bytes)

def test_sign_invalid_separator(self):
with pytest.raises(ValueError) as excinfo:
s = self.make_signer('secret-key', sep='-')
assert 'separator cannot be used' in str(excinfo.value)


class SerializerTestCase(unittest.TestCase):
serializer_class = idmod.Serializer
Expand Down

0 comments on commit ce5e2cd

Please sign in to comment.