signature: forbid arguments after signature (#35057)

2019-07-25 16:22:53 +02:00 · 2019-07-25 16:22:53 +02:00 · 83b285a467
parent e7abfc8ea7
commit 83b285a467
2 changed files with 4 additions and 1 deletions
--- a/hobo/signature.py
+++ b/hobo/signature.py
@ -51,12 +51,14 @@ def check_query(query, key, known_nonce=None, timedelta=30):
    if not ('signature' in parsed and 'algo' in parsed and
            'timestamp' in parsed and 'nonce' in parsed):
        return False
+    unsigned_query, signature_content = query.split('&signature=', 1)
+    if '&' in signature_content:
+        return False  # signature must be the last parameter
    signature = base64.b64decode(parsed['signature'][0])
    algo = parsed['algo'][0]
    timestamp = parsed['timestamp'][0]
    timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
    nonce = parsed['nonce']
-    unsigned_query = query.split('&signature=')[0]
    if known_nonce is not None and known_nonce(nonce):
        return False
    if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):
--- a/tests/test_signature.py
+++ b/tests/test_signature.py
@ -20,6 +20,7 @@ def test_signature():
    assert not signature.check_string(STRING, signature.sign_string(STRING, KEY), OTHER_KEY)
    assert not signature.check_query(signature.sign_query(QUERY, KEY), OTHER_KEY)
    assert not signature.check_url(signature.sign_url(URL, KEY), OTHER_KEY)
+    assert not signature.check_url('%s&foo=bar' % signature.sign_url(URL, KEY), KEY)

    # Test URL is preserved
    assert URL in signature.sign_url(URL, KEY)