# HG changeset patch # User RhodeCode Admin # Date 2024-05-06 12:54:21 # Node ID 0a39631eef088d3926b23917fb48c74d6d3b86ee # Parent 6a5d4eae6649f04d6899858aa4899f561e177e7d fix(encryption): don't be strict on enc format when no enc headers are missing. This fixes problem with migration of OLD unencrypted DBs into a encryption format diff --git a/rhodecode/lib/encrypt.py b/rhodecode/lib/encrypt.py --- a/rhodecode/lib/encrypt.py +++ b/rhodecode/lib/encrypt.py @@ -43,6 +43,7 @@ class InvalidDecryptedValue(str): content = f'<{cls.__name__}({content[:16]}...)>' return str.__new__(cls, content) + KEY_FORMAT = b'enc$aes_hmac${1}' diff --git a/rhodecode/lib/encrypt2.py b/rhodecode/lib/encrypt2.py --- a/rhodecode/lib/encrypt2.py +++ b/rhodecode/lib/encrypt2.py @@ -29,12 +29,16 @@ class Encryptor(object): @classmethod def detect_enc_algo(cls, enc_data: bytes): parts = enc_data.split(b'$', 3) - if len(parts) != 3: - raise ValueError(f'Encrypted Data has invalid format, expected {cls.key_format}, got {parts}') if b'enc$aes_hmac$' in enc_data: + # we expect this data is encrypted, so validate the header + if len(parts) != 3: + raise ValueError(f'Encrypted Data has invalid format, expected {cls.key_format}, got `{parts}`') return 'aes' elif b'enc2$salt' in enc_data: + # we expect this data is encrypted, so validate the header + if len(parts) != 3: + raise ValueError(f'Encrypted Data has invalid format, expected {cls.key_format}, got `{parts}`') return 'fernet' return None @@ -65,7 +69,7 @@ class Encryptor(object): def _get_parts(self, enc_data): parts = enc_data.split(b'$', 3) if len(parts) != 3: - raise ValueError(f'Encrypted Data has invalid format, expected {self.key_format}, got {parts}') + raise ValueError(f'Encrypted Data has invalid format, expected {self.key_format}, got `{parts}`') prefix, salt, enc_data = parts try: