From c739e61696f9e28abbd86ff19265540c2c4b9e6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9lestin=20Matte?= <gitlab@cmatte.me>
Date: Mon, 20 Feb 2023 19:29:03 +0100
Subject: [PATCH] Indicate when PGAUTH_KEY is invalid instead of crashing

---
 django/archives/auth.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/django/archives/auth.py b/django/archives/auth.py
index d7bd25c..9c174fb 100644
--- a/django/archives/auth.py
+++ b/django/archives/auth.py
@@ -104,10 +104,13 @@ def auth_receive(request):
         return HttpResponse("Missing data in url!", status=400)
 
     # Set up an AES object and decrypt the data we received
-    decryptor = AES.new(base64.b64decode(settings.PGAUTH_KEY),
+    try:
+        decryptor = AES.new(base64.b64decode(settings.PGAUTH_KEY),
                         AES.MODE_CBC,
                         base64.b64decode(str(request.GET['i']), "-_"))
-    s = decryptor.decrypt(base64.b64decode(str(request.GET['d']), "-_")).rstrip(b' ').decode('utf8')
+        s = decryptor.decrypt(base64.b64decode(str(request.GET['d']), "-_")).rstrip(b' ').decode('utf8')
+    except (UnicodeDecodeError, ValueError):
+        return HttpResponse("Invalid PGAUTH_KEY.", status=400)
 
     # Now un-urlencode it
     try:
-- 
2.39.2