From b2174bf0359262c666d4abd65a442ebb5512cf5b Mon Sep 17 00:00:00 2001 From: Jameson Date: Tue, 7 Jan 2014 12:23:18 -0800 Subject: [PATCH 1/4] catch possible TypeError and ValueError from serializer --- flask_security/utils.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/flask_security/utils.py b/flask_security/utils.py index bc59890..ec85ab5 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -315,6 +315,10 @@ def get_token_status(token, serializer, max_age=None): expired = True except BadSignature: invalid = True + except TypeError: + invalid = True + except ValueError: + invalid = True if data: user = _datastore.find_user(id=data[0]) From f47fce9365d714aa633a82308e9bb141193d5426 Mon Sep 17 00:00:00 2001 From: Jameson Date: Thu, 23 Jan 2014 00:20:56 +0000 Subject: [PATCH 2/4] add test to show TypeError can occur --- tests/configured_tests.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/configured_tests.py b/tests/configured_tests.py index 5f16191..0324ecf 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -425,6 +425,15 @@ class RecoverableTests(SecurityTest): m = self.get_message('INVALID_RESET_PASSWORD_TOKEN') self.assertIn(m.encode('utf-8'), r.data) + def test_reset_password_with_mangled_token(self): + t = "WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd.BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d" + r = self._post('/reset/' + t, data={ + 'password': 'newpassword', + 'password_confirm': 'newpassword' + }, follow_redirects=True) + + self.assertIn(self.get_message('INVALID_RESET_PASSWORD_TOKEN'), r.data) + class ExpiredResetPasswordTest(SecurityTest): From b4d1a7c9218fefa6931a394c771bd44a73b1ceb5 Mon Sep 17 00:00:00 2001 From: Jameson Date: Thu, 23 Jan 2014 23:33:11 +0000 Subject: [PATCH 3/4] update to make test run red --- flask_security/utils.py | 8 ++++---- tests/configured_tests.py | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/flask_security/utils.py b/flask_security/utils.py index ec85ab5..336bb0d 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -315,10 +315,10 @@ def get_token_status(token, serializer, max_age=None): expired = True except BadSignature: invalid = True - except TypeError: - invalid = True - except ValueError: - invalid = True +# except TypeError: +# invalid = True +# except ValueError: +# invalid = True if data: user = _datastore.find_user(id=data[0]) diff --git a/tests/configured_tests.py b/tests/configured_tests.py index 0324ecf..cc59011 100644 --- a/tests/configured_tests.py +++ b/tests/configured_tests.py @@ -432,7 +432,8 @@ class RecoverableTests(SecurityTest): 'password_confirm': 'newpassword' }, follow_redirects=True) - self.assertIn(self.get_message('INVALID_RESET_PASSWORD_TOKEN'), r.data) + m = self.get_message('INVALID_RESET_PASSWORD_TOKEN') + self.assertIn(m.encode('utf-8'), r.data) class ExpiredResetPasswordTest(SecurityTest): From 45c8951877d2f2855c77bae5b168b6a1c295cf51 Mon Sep 17 00:00:00 2001 From: Jameson Date: Fri, 24 Jan 2014 04:41:41 +0000 Subject: [PATCH 4/4] passes tests --- flask_security/utils.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flask_security/utils.py b/flask_security/utils.py index 336bb0d..ec85ab5 100644 --- a/flask_security/utils.py +++ b/flask_security/utils.py @@ -315,10 +315,10 @@ def get_token_status(token, serializer, max_age=None): expired = True except BadSignature: invalid = True -# except TypeError: -# invalid = True -# except ValueError: -# invalid = True + except TypeError: + invalid = True + except ValueError: + invalid = True if data: user = _datastore.find_user(id=data[0])