signature: forbid arguments after signature (#35057)
This commit is contained in:
parent
e7abfc8ea7
commit
83b285a467
|
@ -51,12 +51,14 @@ def check_query(query, key, known_nonce=None, timedelta=30):
|
|||
if not ('signature' in parsed and 'algo' in parsed and
|
||||
'timestamp' in parsed and 'nonce' in parsed):
|
||||
return False
|
||||
unsigned_query, signature_content = query.split('&signature=', 1)
|
||||
if '&' in signature_content:
|
||||
return False # signature must be the last parameter
|
||||
signature = base64.b64decode(parsed['signature'][0])
|
||||
algo = parsed['algo'][0]
|
||||
timestamp = parsed['timestamp'][0]
|
||||
timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
|
||||
nonce = parsed['nonce']
|
||||
unsigned_query = query.split('&signature=')[0]
|
||||
if known_nonce is not None and known_nonce(nonce):
|
||||
return False
|
||||
if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):
|
||||
|
|
|
@ -20,6 +20,7 @@ def test_signature():
|
|||
assert not signature.check_string(STRING, signature.sign_string(STRING, KEY), OTHER_KEY)
|
||||
assert not signature.check_query(signature.sign_query(QUERY, KEY), OTHER_KEY)
|
||||
assert not signature.check_url(signature.sign_url(URL, KEY), OTHER_KEY)
|
||||
assert not signature.check_url('%s&foo=bar' % signature.sign_url(URL, KEY), KEY)
|
||||
|
||||
# Test URL is preserved
|
||||
assert URL in signature.sign_url(URL, KEY)
|
||||
|
|
Loading…
Reference in New Issue