better base64 validation

Issue #31 on hold
Eli Collins
repo owner created an issue
(Imported from Google Code)

many of the hashes in passlib rely on stdlib's base64.b64decode() to perform validation of base64 sequences. but b64decode() is way more tolerant than I'd like for a password hash parser - it cheerfully accepts things like b64decode('Zm9v==Z\n Xk====='); which while useful in most contexts, is not so much here.

since passlib 1.6 is close to release, this will probably have to wait til 1.7, but would like to wrap / replace the decoder with a stricter one, just to prevent malformed hashes from being accepted in certain border cases.

Comments (4)

  1. Eli Collins reporter

    (Imported from Google Code)

    This hasn't ever been an issue in the real world, and adding a base64 decoding wrapper would add a (admittedly minor) increasing in processing time. Currently unsure if this level of strictness is worth it, so demoting this to wishlist for now.

  2. Log in to comment