diff --git a/flask_security/utils.py b/flask_security/utils.py index 6bf83ee..57d7e28 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -318,6 +318,10 @@ def get_token_status(token, serializer, max_age=None): expired = True except BadSignature: invalid = True + except TypeError: + invalid = True + except ValueError: + invalid = True if data: user = _datastore.find_user(id=data[0]) diff --git a/tests/configured_tests.py b/tests/configured_tests.py index cd223c2..a66dc85 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -425,6 +425,16 @@ class RecoverableTests(SecurityTest): m = self.get_message('INVALID_RESET_PASSWORD_TOKEN') self.assertIn(m.encode('utf-8'), r.data) + def test_reset_password_with_mangled_token(self): + t = "WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd.BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d" + r = self._post('/reset/' + t, data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + + m = self.get_message('INVALID_RESET_PASSWORD_TOKEN') + self.assertIn(m.encode('utf-8'), r.data) + class ExpiredResetPasswordTest(SecurityTest):