save_session from the SessionInterface class crash with Werkzeug 3.0.1

[urucoder]

The Werkzeugh package was affected by the following bug CVE-2023-46136. The version 3.0.1 fixes it, but also adds this code to the dump_cookie method, which is used by the set_cookie method, this now requires the session_id to be a str instead of bytes type, when the session interface uses the default signer it crashes due it returns a bytes type.

It can be fixed by anyone creating a custom signer class that decodes the bytes and then passing it to the session interface

from itsdangerous import Signer
from quart_session.sessions import SessionInterface

class CustomSigner(Signer):
    def sign(self, value: str) -> str:
        return super().sign(value).decode('utf-8')

class CustomInterface(SessionInterface):
    def _get_signer(self, app) -> Optional[Signer]:
        if not app.secret_key:
            return None
        return CustomSigner(app.secret_key, salt='session-salt', 
                            key_derivation='hmac', digest_method=hashlib.sha384)

[kroketio]

Yeah. Lots of breaking changes to Werkzeug and Flask as of late.

[mmreza79]

Ja, I am having the same problem updating Werkzeug 3.0.1. Thanks a lot @urucoder for your suggestion :)