To reproduce, start with the beginning of the example from the docs at https://cryptography.io/en/latest/fernet/
>>> from cryptography.fernet import Fernet
>>> key = Fernet.generate_key()
>>> f = Fernet(key)
>>> token = f.encrypt(b"my deep dark secret")
It appears that you can append the token with whatever you want, and still produce the original secret:
>>> f.decrypt(token + '-GARBAGE')
'my deep dark secret'
Even random UUIDs:
>>> import uuid
>>> f.decrypt(token + uuid.uuid4().bytes)
'my deep dark secret'
>>> f.decrypt(token + uuid.uuid4().bytes)
'my deep dark secret'
>>> f.decrypt(token + uuid.uuid4().bytes)
'my deep dark secret'
I'd expect cryptography.fernet.InvalidToken to be raised in all these cases.
This behavior was originally reported by Matt Fischer against openstack/keystone in:
https://bugs.launchpad.net/keystone/+bug/1459483
To reproduce, start with the beginning of the example from the docs at https://cryptography.io/en/latest/fernet/
It appears that you can append the token with whatever you want, and still produce the original secret:
Even random UUIDs:
I'd expect cryptography.fernet.InvalidToken to be raised in all these cases.
This behavior was originally reported by Matt Fischer against openstack/keystone in:
https://bugs.launchpad.net/keystone/+bug/1459483