On Tue, May 19, 2020 at 8:49 PM David Mertz <mertz@gnosis.cx> wrote:
elif fmt == "PBKDF2_SHA256": h = base64.b64encode(base64.b64decode(text)[:32]) # a terrible hack follows, use "adapted base64" alphabet (using . instead of + and with no padding) h = h.rstrip("=").replace("+", ".") salt = base64.b64encode(salt) salt = salt.rstrip("=").replace("+", ".")
We actually know that base64 code should only produce at most 2 '='s as padding. In this instance, the encoding comes immediately before the stripping. However, perhaps some code would pass the encoded string and you wouldn't be as confident locally that extra '='s hadn't snuck in.
If it existed, I think these lines would be good candidates for 'maxstrip'.
Not a very strong ending 🤣 I may be misunderstanding, but it sounds like = is not acceptable in the final result, so it's not enough to remove only 2 of 4 ='s. You want to make sure nothing messed up your string. So if the code existed, what you'd want is: ``` assert salt.count("=") <= 2 salt = salt.rstrip("=", "") assert "=" not in salt ```