cope with invalid signatures

2011-11-18 12:33:40 -08:00 · 2011-11-18 12:33:40 -08:00 · 509866e112
--- a/apps/webapps/tests/test_verify.py
+++ b/apps/webapps/tests/test_verify.py
@ -15,6 +15,8 @@ from users.models import UserProfile
 from stats.models import Contribution

 import json
+import jwt
+import M2Crypto
 import mock


@ -56,6 +58,9 @@ class TestVerify(amo.tests.TestCase):
    def test_invalid_receipt(self):
        eq_(self.get_decode(1, 'blah')['status'], 'invalid')

+    def test_invalid_signature(self):
+        eq_(self.get_decode(1, 'blah.blah.blah')['status'], 'invalid')
+
    def test_no_user(self):
        eq_(self.get(1, {})['status'], 'invalid')

@ -103,3 +108,9 @@ class TestVerify(amo.tests.TestCase):
        receipt = self.make_install().receipt
        result = verify.decode_receipt(receipt)
        eq_(result['typ'], u'purchase-receipt')
+
+    def test_crack_borked_receipt(self):
+        self.addon.update(type=amo.ADDON_WEBAPP, manifest_url='http://a.com')
+        receipt = self.make_install().receipt
+        self.assertRaises(M2Crypto.RSA.RSAError, verify.decode_receipt,
+                          receipt + 'x')
--- a/services/verify.py
+++ b/services/verify.py
@ -7,6 +7,7 @@ from utils import (log_exception, log_info, mypool, settings,
                   CONTRIB_CHARGEBACK, CONTRIB_PURCHASE, CONTRIB_REFUND)

 import jwt
+import M2Crypto
 # This has to be imported after the settings (utils).
 from statsd import statsd

@ -29,8 +30,8 @@ class Verify:
        # information.
        try:
            receipt = decode_receipt(self.receipt)
-        except jwt.DecodeError:
-            self.log('Error decoding receipt')
+        except (jwt.DecodeError, M2Crypto.RSA.RSAError), e:
+            self.log('Error decoding receipt: %s' % e)
            return self.invalid()

        # 2. Get the addon and user information from the