Skip to content
This repository has been archived by the owner on Jul 30, 2024. It is now read-only.

Uncatchable Incorrect Padding TypeError from itsdangerous on bad reset token #204

Closed
jamesonjlee opened this issue Jan 4, 2014 · 0 comments
Closed

Uncatchable Incorrect Padding TypeError from itsdangerous on bad reset token #204

jamesonjlee opened this issue Jan 4, 2014 · 0 comments

Comments

@jamesonjlee
Copy link
Contributor

tl;dr:
Please have Flask-Security catch Base64 related TypeError and propagate (or catch) the exception.

In /flask_security/utils.py" line 270 in get_token_status it should also catch TypeError (and assume that the signature has been tampered with or something).

Reason:
I had a user follow a reset password link like this (note the additional &url_id=jibberish) : https://myserver.com/reset_password/blah.foo.bar&url_id=jibberish

when I removed the &url_id=jibberish segment the request failed properly (link has expired). When I leave it in I got the below trace. This doesn't happen for every signed url, but it does/did happen.

Traceback (most recent call last):
1 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask/app.py" line 1817 in wsgi_app
response = self.full_dispatch_request()
2 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask/app.py" line 1477 in full_dispatch_request
rv = self.handle_user_exception(e)
3 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask/app.py" line 1381 in handle_user_exception
reraise(exc_type, exc_value, tb)
4 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask/app.py" line 1475 in full_dispatch_request
rv = self.dispatch_request()
5 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask/app.py" line 1461 in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
6 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask_security/decorators.py" line 205 in wrapper
return f(*args, **kwargs)
7 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask_security/views.py" line 258 in reset_password
expired, invalid, user = reset_password_token_status(token)
8 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask_security/recoverable.py" line 68 in reset_password_token_status
return get_token_status(token, 'reset', 'RESET_PASSWORD')
9 File "/opt/server_app/env/local/lib/python2.7/site-packages/flask_security/utils.py" line 270 in get_token_status
data = serializer.loads(token, max_age=max_age)
10 File "/opt/server_app/env/local/lib/python2.7/site-packages/itsdangerous.py" line 615 in loads
.unsign(s, max_age, return_timestamp=True)
11 File "/opt/server_app/env/local/lib/python2.7/site-packages/itsdangerous.py" line 394 in unsign
result = Signer.unsign(self, value)
12 File "/opt/server_app/env/local/lib/python2.7/site-packages/itsdangerous.py" line 343 in unsign
if self.verify_signature(value, sig):
13 File "/opt/server_app/env/local/lib/python2.7/site-packages/itsdangerous.py" line 333 in verify_signature
sig = base64_decode(sig)
14 File "/opt/server_app/env/local/lib/python2.7/site-packages/itsdangerous.py" line 191 in base64_decode
return base64.urlsafe_b64decode(string + b'=' * (-len(string) % 4))
15 File "/usr/lib/python2.7/base64.py" line 112 in urlsafe_b64decode
return b64decode(s, '-_')
16 File "/usr/lib/python2.7/base64.py" line 76 in b64decode
raise TypeError(msg)
TypeError: Incorrect padding

There is an open tickets on itsdangerous (pallets/itsdangerous#27) that would solve this issue(?), but there no timeline for catching this.
@jamesonjlee jamesonjlee mentioned this issue Jan 7, 2014
Merged
galeo pushed a commit to galeo/flask-security-outdated that referenced this issue Mar 4, 2020
@jwag956
Minor updates. (pallets-eco#204)
d27222f 
Improve quickstart and examples to show that users MUST call hash_password(password).

Fix bug introduced in 3.3.0 that ended up requiring sqlalchemy to be installed (removed models from __init__.py)

Bumped version to 3.3.1

closes: pallets-eco#201
closes: pallets-eco#202
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattupstate @jamesonjlee