Conversation
Add "RSA PUBLIC KEY" to the forbidden key strings in HMAC. Prevents the use of PKCS1 keys, cited by this CVE as exposing a key-confusion attack. Also add a test case for it, doing the obvious thing. Closes mpdavis#62
Collaborator
|
Looks good to me. The PyPy build failed because of PyCrypto failing to compile. |
Owner
|
I'm happy with this change, but I want to see what is up with the failing build before merging. |
Owner
|
@sirosen I noticed your builds are running on the newer trusty builders. Can you try adding |
Codecov Report
@@ Coverage Diff @@
## master #63 +/- ##
=======================================
Coverage 94.53% 94.53%
=======================================
Files 12 12
Lines 841 841
=======================================
Hits 795 795
Misses 46 46
Continue to review full report at Codecov.
|
Contributor
Author
|
Yeah, I don't mind slipping that change in. Doing that now. |
Pin to older infra to hopefully resolve pycrypto compilation issues.
sirosen
force-pushed
the
fix-cve-2017-11424
branch
from
98bd2b9 to
5bc7470
Compare
Owner
|
lgtm |
Owner
|
Released in 1.4.0 |
fergyfresh
added a commit
to fergyfresh/django-rest-framework-simplejwt
that referenced
this pull request
Apr 4, 2019
ludarkhorse
added a commit
to ludarkhorse/djangoframework
that referenced
this pull request
Feb 24, 2023
mm-pro
pushed a commit
to mm-pro/JWT-basic-Django
that referenced
this pull request
Oct 29, 2023
cr313
added a commit
to cr313/rest_framework_simple
that referenced
this pull request
Apr 19, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add "RSA PUBLIC KEY" to the forbidden key strings in HMAC. Prevents the use of PKCS1 keys, cited by this CVE as exposing a key-confusion attack.
Also add a test case for it, doing the obvious thing.
Closes #62