Daniel Garcia
ff2ca96bea
* CVE-2024-33663.patch, bsc#1223417, gh#mpdavis/python-jose#349 * CVE-2024-33664.patch, bsc#1223422, gh#mpdavis/python-jose#345 * fix-tests-ecdsa-019.patch, gh#mpdavis/python-jose#350 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-python-jose?expand=0&rev=13
26 lines
816 B
Diff
26 lines
816 B
Diff
From 483529ee93a3ab510ab579d4d4cc644dba926ade Mon Sep 17 00:00:00 2001
|
|
From: princekhunt <info@princekhunt.com>
|
|
Date: Wed, 20 Mar 2024 22:12:36 +0530
|
|
Subject: [PATCH] limit token size to 250 KB
|
|
|
|
---
|
|
jose/jwe.py | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/jose/jwe.py b/jose/jwe.py
|
|
index 2c387ff4..1e0833e7 100644
|
|
--- a/jose/jwe.py
|
|
+++ b/jose/jwe.py
|
|
@@ -76,6 +76,11 @@ def decrypt(jwe_str, key):
|
|
>>> jwe.decrypt(jwe_string, 'asecret128bitkey')
|
|
'Hello, World!'
|
|
"""
|
|
+
|
|
+ # limit the token size to 250 KB
|
|
+ if len(jwe_str) > 250 * 1024:
|
|
+ raise JWEError("JWE string exceeds 250 KB")
|
|
+
|
|
header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
|
|
|
|
# Verify that the implementation understands and can process all
|