On Tue, May 19, 2020 at 8:49 PM David Mertz <mertz@gnosis.cx> wrote:

elif fmt == "PBKDF2_SHA256":
h = base64.b64encode(base64.b64decode(text)[:32])
# a terrible hack follows, use "adapted base64" alphabet (using . instead of + and with no padding)
h = h.rstrip("=").replace("+", ".")
salt = base64.b64encode(salt)
salt = salt.rstrip("=").replace("+", ".")

We actually know that base64 code should only produce at most 2 '='s as padding. In this instance, the encoding comes immediately before the stripping. However, perhaps some code would pass the encoded string and you wouldn't be as confident locally that extra '='s hadn't snuck in.

If it existed, I think these lines would be good candidates for 'maxstrip'.

Not a very strong ending 🤣

I may be misunderstanding, but it sounds like = is not acceptable in the final result, so it's not enough to remove only 2 of 4 ='s. You want to make sure nothing messed up your string. So if the code existed, what you'd want is:

```

assert salt.count("=") <= 2

salt = salt.rstrip("=", "")

assert "=" not in salt

```