Comments (5)
@stigtsp It seems fixed, the patch basically introduces a blocklist of public key formats when verifying with HMAC. I was not able to bypass this blocklist. But the patch could be much improved by requiring the developer to specify which algorithm is to be used (see patch for CVE-2022-29217). That way we would know for sure, rather than hoping the blocklist is comprehensive.
from authlib.
Released v1.3.1
from authlib.
This vulnerability is now tracked under CVE-2024-37568.
After testing, the patch provided in 1.3.1 seems adequate for any imminent exploitation of the vulnerability. However, for future releases, I would recommend the following:
- Also make the algorithms field mandatory when decoding, or at the very least throw a warning when not used. The current patch resisted initial security testing by me, but there may be key formats not accounted for. Solving the root cause of this issue would be preferable.
- Improve the error message when doing HMAC verification with a public key to more explicitly say what the problem is. I don't think the message "This key may not be safe to import" is adequately intuitive to help developer understand if their usage of the library is secure or not. A message such as "Asymmetric key formats may not be used with HMAC verification" would be much better.
Closing issue in faith that the above gets addressed in time. @lepture
from authlib.
@milliesolem Does this mean that CVE-2024-37568 is not fixed by v1.3.1?
from authlib.
@stigtsp @milliesolem it is a little hard to keep the compatibility while improve the security. I've changed the behavior in joserfc
, you should not pass a string or bytes as the key now.
https://jose.authlib.org/en/
https://github.com/authlib/joserfc/blob/main/src/joserfc/jwk.py#L81
from authlib.
Related Issues (20)
- Missing Dependencies (httpx & itsdangerous) HOT 3
- Support async functions in compliance hooks.
- httpx OAuth2 client has incorrect oauth_error_class
- Documentation: Missing OIDC client documentation on custom claims HOT 1
- Session cookie grows indefinitely, results in CSRF Warning. HOT 3
- Have a WSGI integration example
- rfc7519 JsonWebEncryption is initialized with an incorrect list of algorhythms.
- Incorrect check for insecure transport on OAuth1.0
- Have special character encoding be optional
- Quoting (URL-encoding) Base authentication username / password is incorrect
- JWT authentication issue HOT 3
- Allow to disable expired token auto-refresh
- Need to be able to add headers when calling authorize_redirect() HOT 2
- do not have refresh token HOT 1
- JWTClaims accepts True/False `iat`.
- Too slow to generate id token with RSA HOT 1
- Token refresh failed when using AsyncOAuth2Client with client credentials
- getting no client id from vk.com oauth HOT 1
- Change token in session
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authlib.