pool/python-python-jose
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
dfc9fe76f6
python-python-jose/CVE-2024-33664.patch

26 lines
816 B
Diff
Raw Normal View History

- Add upstream patches: * CVE-2024-33663.patch, bsc#1223417, gh#mpdavis/python-jose#349 * CVE-2024-33664.patch, bsc#1223422, gh#mpdavis/python-jose#345 * fix-tests-ecdsa-019.patch, gh#mpdavis/python-jose#350 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-jose?expand=0&rev=13
2024-05-06 11:15:25 +02:00
From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001
From: princekhunt <info@princekhunt.com>
Date: Wed, 20 Mar 2024 22:12:36 +0530
Subject: [PATCH] limit token size to 250 KB
---
jose/jwe.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/jose/jwe.py b/jose/jwe.py
index 2c387ff4..1e0833e7 100644
--- a/jose/jwe.py
+++ b/jose/jwe.py
@@ -76,6 +76,11 @@ def decrypt(jwe_str, key):
>>> jwe.decrypt(jwe_string, 'asecret128bitkey')
'Hello, World!'
"""
+
+ # limit the token size to 250 KB
+ if len(jwe_str) > 250 * 1024:
+ raise JWEError("JWE string exceeds 250 KB")
+
header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
# Verify that the implementation understands and can process all
Reference in New Issue Copy Permalink