Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong timestamp during migrating from v0.28 -> v1.1.0 #204

Closed
Garrett-R opened this issue Dec 23, 2020 · 2 comments
Closed

Wrong timestamp during migrating from v0.28 -> v1.1.0 #204

Garrett-R opened this issue Dec 23, 2020 · 2 comments

Comments

@Garrett-R
Copy link

Garrett-R commented Dec 23, 2020
edited
Loading

According to this page, migrating from 0.28 -> 1.1.0 should be fine, but my timestamp is showing up as 1979.

Here's a simple example.

First, do pip install itsdangerous==0.24, then execute this script:

from itsdangerous import URLSafeTimedSerializer

signing_serializer = URLSafeTimedSerializer('blah-blah')
cookie_val = signing_serializer.dumps('My Message')
timestamp = signing_serializer.loads(cookie_val, return_timestamp=True)[1]
print(f'Got {cookie_val=} with {timestamp=} (itsdangerous 0.24)')

For me, the output was:

Got cookie_val='Ik15IE1lc3NhZ2Ui.EsUWgA.a1holhKzlayr2idrEYcOUQSObXs' with timestamp=datetime.datetime(2020, 12, 23, 17, 57, 20) (itsdangerous 0.24)

Now do pip install itsdangerous==1.1.0, then copy the cookie val from the print above (will be different each time) and paste it into the below script:

from itsdangerous import URLSafeTimedSerializer

signing_serializer = URLSafeTimedSerializer('blah-blah')
# (this val was from previous script)
previous_cookie_val = 'Ik15IE1lc3NhZ2Ui.EsUWgA.a1holhKzlayr2idrEYcOUQSObXs'
previous_timestamp = signing_serializer.loads(previous_cookie_val, return_timestamp=True)[1]
print(f'Got {previous_cookie_val=} with {previous_timestamp=} (itsdangerous 1.1.0)')

For me, the output is:

Got previous_cookie_val='Ik15IE1lc3NhZ2Ui.EsUWgA.a1holhKzlayr2idrEYcOUQSObXs' with previous_timestamp=datetime.datetime(1979, 12, 24, 17, 57, 20) (itsdangerous 1.1.0)

(notice it's 1979)

OS: Ubuntu 18.04
Python: 3.9
@davidism
Copy link
Member

davidism commented Jan 29, 2021
edited
Loading

This is due to #46, and the issue is a duplicate of #120 and #126, which have some good discussion.

#46 and a bunch of other issues pointed out that it wasn't possible to work with timestamps before 2011, which could happen on embeded systems or those without NTP. I agreed that it made more sense to use the full timestamp from 1970 instead of 2011, and changed that here: 9981a90, which is why you see 1970 + 9 instead of 2011 + 9.

#120 noticed that it affected validation when upgrading. #126 and #133 fixes the validation logic so it checks timestamps in both directions, so there's at least a clear validation error message.

Sorry for the confusion, I understand it's frustrating to run into this. At this point, I don't think we're going to add more fallback code. Some fallback implementations that a project can use are proposed in #120.

@Garrett-R
Copy link
Author

Thanks for the detailed response!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidism @Garrett-R