2 files changed, 16 insertions, 5 deletions

diff --git a/mediagoblin/edit/routing.py b/mediagoblin/edit/routing.py
index 67c2c7be..3592f708 100644
--- a/mediagoblin/edit/routing.py
+++ b/mediagoblin/edit/routing.py
@@ -26,5 +26,5 @@ add_route('mediagoblin.edit.delete_account', '/edit/account/delete/',
     'mediagoblin.edit.views:delete_account')
 add_route('mediagoblin.edit.pass', '/edit/password/',
     'mediagoblin.edit.views:change_pass')
-add_route('mediagoblin.edit.verify_email', '/edit/verify_email',
+add_route('mediagoblin.edit.verify_email', '/edit/verify_email/',
     'mediagoblin.edit.views:verify_email')
diff --git a/mediagoblin/edit/views.py b/mediagoblin/edit/views.py
index 78e47fe0..249fb8ba 100644
--- a/mediagoblin/edit/views.py
+++ b/mediagoblin/edit/views.py
@@ -16,6 +16,7 @@
 
 from datetime import datetime
 
+from itsdangerous import BadSignature
 from werkzeug.exceptions import Forbidden
 from werkzeug.utils import secure_filename
 
@@ -417,10 +418,20 @@ def verify_email(request):
     if not 'token' in request.GET:
         return render_404(request)
 
-    # This throws an error, if the thing is faked or expired
-    # should be catched, probably.
-    token = get_timed_signer_url("mail_verification_token") \
-            .loads(request.GET['token'], max_age=10*24*3600)
+    # Catch error if token is faked or expired
+    token = None
+    try:
+        token = get_timed_signer_url("mail_verification_token") \
+                .loads(request.GET['token'], max_age=10*24*3600)
+    except BadSignature:
+        messages.add_message(
+            request,
+            messages.ERROR,
+            _('The verification key or user id is incorrect.'))
+
+        return redirect(
+            request,
+            'index')
 
     user = User.query.filter_by(id=int(token['user'])).first()