diff options
| author | José Padilla <jpadilla@webapplicate.com> | 2015-03-17 13:07:22 -0400 |
|---|---|---|
| committer | José Padilla <jpadilla@webapplicate.com> | 2015-03-17 13:10:25 -0400 |
| commit | 5a2bcf4b9da6b66c9469e597151d62f661fd3710 (patch) | |
| tree | 3c2796a64c98ea533daca465069d6638c9a3bf19 /jwt/api.py | |
| parent | d47163117bef52392f314406ad0a4177e2a65e16 (diff) | |
| download | pyjwt-fix_alg_vuln_on_verify.tar.gz | |
Work in progress fix for vulnerabilityfix_alg_vuln_on_verify
Diffstat (limited to 'jwt/api.py')
| -rw-r--r-- | jwt/api.py | 25 |
1 files changed, 22 insertions, 3 deletions
@@ -89,8 +89,10 @@ def decode(jwt, key='', verify=True, **kwargs): payload, signing_input, header, signature = load(jwt) if verify: - verify_signature(payload, signing_input, header, signature, key, - **kwargs) + verify_signature( + payload, signing_input, header, + signature, key, **kwargs + ) return payload @@ -136,7 +138,20 @@ def load(jwt): def verify_signature(payload, signing_input, header, signature, key='', verify_expiration=True, leeway=0, audience=None, - issuer=None): + issuer=None, algorithms=None): + + if not algorithms and isinstance(key, string_types): + secret = key + if isinstance(key, text_type): + secret = key.encode('utf-8') + + if b'BEGIN CERTIFICATE' in secret or b'BEGIN PUBLIC KEY' in secret: + algorithms = ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'] + else: + algorithms = ['HS256', 'HS384', 'HS512'] + + if not algorithms: + algorithms = _algorithms.keys() if isinstance(leeway, timedelta): leeway = timedelta_total_seconds(leeway) @@ -146,6 +161,10 @@ def verify_signature(payload, signing_input, header, signature, key='', try: alg_obj = _algorithms[header['alg']] + + if header['alg'] not in algorithms: + raise DecodeError('Signature verification failed') + key = alg_obj.prepare_key(key) if not alg_obj.verify(signing_input, key, signature): |