Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package perl-Crypt-JWT for openSUSE:Factory checked in at 2025-05-26 18:35:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Crypt-JWT (Old) and /work/SRC/openSUSE:Factory/.perl-Crypt-JWT.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Crypt-JWT" Mon May 26 18:35:38 2025 rev:8 rq:1279781 version:0.37.0 Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Crypt-JWT/perl-Crypt-JWT.changes 2025-01-31 16:04:52.393112196 +0100 +++ /work/SRC/openSUSE:Factory/.perl-Crypt-JWT.new.2732/perl-Crypt-JWT.changes 2025-05-26 18:37:16.879822088 +0200 @@ -1,0 +2,11 @@ +Mon Apr 28 05:46:27 UTC 2025 - Tina Müller <timueller+p...@suse.de> + +- updated to 0.37.0 (0.037) + see /usr/share/doc/packages/perl-Crypt-JWT/Changes + + 0.037 2025-04-27 + - fix #43 Fails to decode JWT from AWS Application Load Balancers + - fix #44 Allow decoding JWS with Base64 padding characters + - added tolerate_padding parameter for decode_jwt + +------------------------------------------------------------------- Old: ---- Crypt-JWT-0.036.tar.gz New: ---- Crypt-JWT-0.037.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Crypt-JWT.spec ++++++ --- /var/tmp/diff_new_pack.zRhJvl/_old 2025-05-26 18:37:17.515848787 +0200 +++ /var/tmp/diff_new_pack.zRhJvl/_new 2025-05-26 18:37:17.519848956 +0200 @@ -18,10 +18,10 @@ %define cpan_name Crypt-JWT Name: perl-Crypt-JWT -Version: 0.36.0 +Version: 0.37.0 Release: 0 -# 0.036 -> normalize -> 0.36.0 -%define cpan_version 0.036 +# 0.037 -> normalize -> 0.37.0 +%define cpan_version 0.037 License: Artistic-1.0 OR GPL-1.0-or-later Summary: JSON Web Token URL: https://metacpan.org/release/%{cpan_name} @@ -31,11 +31,11 @@ BuildRequires: perl BuildRequires: perl-macros BuildRequires: perl(Compress::Raw::Zlib) -BuildRequires: perl(CryptX) >= 0.067 +BuildRequires: perl(CryptX) >= 0.67.0 BuildRequires: perl(JSON) BuildRequires: perl(Test::More) >= 0.88 Requires: perl(Compress::Raw::Zlib) -Requires: perl(CryptX) >= 0.067 +Requires: perl(CryptX) >= 0.67.0 Requires: perl(JSON) Requires: perl(Test::More) >= 0.88 Provides: perl(Crypt::JWT) = %{version} ++++++ Crypt-JWT-0.036.tar.gz -> Crypt-JWT-0.037.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/Changes new/Crypt-JWT-0.037/Changes --- old/Crypt-JWT-0.036/Changes 2025-01-26 11:06:58.000000000 +0100 +++ new/Crypt-JWT-0.037/Changes 2025-04-27 16:53:04.000000000 +0200 @@ -1,5 +1,10 @@ Changes for Crypt-JWT distribution +0.037 2025-04-27 + - fix #43 Fails to decode JWT from AWS Application Load Balancers + - fix #44 Allow decoding JWS with Base64 padding characters + - added tolerate_padding parameter for decode_jwt + 0.036 2025-01-26 - fix #35 support aud claim as an array of strings - added verify_typ - verify 'typ' header parameter diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/MANIFEST new/Crypt-JWT-0.037/MANIFEST --- old/Crypt-JWT-0.036/MANIFEST 2025-01-26 11:16:33.000000000 +0100 +++ new/Crypt-JWT-0.037/MANIFEST 2025-04-27 16:55:02.000000000 +0200 @@ -9,6 +9,7 @@ t/flattened.t t/jws_empty_payload.t t/jws_no_key.t +t/jws_with_padding.t t/jwt_decode_tv.t t/jwt_encode_decode.t t/jwt_params.t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/META.json new/Crypt-JWT-0.037/META.json --- old/Crypt-JWT-0.036/META.json 2025-01-26 11:16:33.000000000 +0100 +++ new/Crypt-JWT-0.037/META.json 2025-04-27 16:55:01.000000000 +0200 @@ -51,6 +51,6 @@ "url" : "https://github.com/DCIT/perl-Crypt-JWT"; } }, - "version" : "0.036", + "version" : "0.037", "x_serialization_backend" : "JSON::PP version 4.16" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/META.yml new/Crypt-JWT-0.037/META.yml --- old/Crypt-JWT-0.036/META.yml 2025-01-26 11:16:28.000000000 +0100 +++ new/Crypt-JWT-0.037/META.yml 2025-04-27 16:54:56.000000000 +0200 @@ -28,5 +28,5 @@ resources: bugtracker: https://github.com/DCIT/perl-Crypt-JWT/issues repository: https://github.com/DCIT/perl-Crypt-JWT -version: '0.036' +version: '0.037' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/README.md new/Crypt-JWT-0.037/README.md --- old/Crypt-JWT-0.036/README.md 2025-01-26 11:16:34.000000000 +0100 +++ new/Crypt-JWT-0.037/README.md 2025-04-27 16:55:02.000000000 +0200 @@ -418,6 +418,12 @@ `undef` (default) - do not verify 'typ' header parameter +- tolerate\_padding + + `0` (default) - ignore Base64 padding characters when validating signature + + `1` - take account of Base64 padding characters when validating signature + ## encode\_jwt my $token = encode_jwt(%named_args); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/lib/Crypt/JWT.pm new/Crypt-JWT-0.037/lib/Crypt/JWT.pm --- old/Crypt-JWT-0.036/lib/Crypt/JWT.pm 2025-01-25 23:47:50.000000000 +0100 +++ new/Crypt-JWT-0.037/lib/Crypt/JWT.pm 2025-04-27 16:47:45.000000000 +0200 @@ -3,7 +3,7 @@ use strict; use warnings; -our $VERSION = '0.036'; +our $VERSION = '0.037'; use Exporter 'import'; our %EXPORT_TAGS = ( all => [qw(decode_jwt encode_jwt)] ); @@ -819,7 +819,10 @@ if (!$args{token}) { croak "JWT: missing token"; } - elsif ($args{token} =~ /^([a-zA-Z0-9_-]+)=*\.([a-zA-Z0-9_-]*)=*\.([a-zA-Z0-9_-]*)=*(?:\.([a-zA-Z0-9_-]+)=*\.([a-zA-Z0-9_-]+)=*)?$/) { + my $token_re = $args{tolerate_padding} + ? qr/^([a-zA-Z0-9_-]+=*)\.([a-zA-Z0-9_-]*=*)\.([a-zA-Z0-9_-]*=*)(?:\.([a-zA-Z0-9_-]+=*)\.([a-zA-Z0-9_-]+=*))?$/ + : qr/^([a-zA-Z0-9_-]+)=*\.([a-zA-Z0-9_-]*)=*\.([a-zA-Z0-9_-]*)=*(?:\.([a-zA-Z0-9_-]+)=*\.([a-zA-Z0-9_-]+)=*)?$/; + if ($args{token} =~ $token_re) { if (defined($5) && length($5) > 0) { # JWE token (5 segments) ($header, $payload) = _decode_jwe($1, $2, $3, $4, $5, undef, {}, {}, %args); @@ -1285,6 +1288,12 @@ C<undef> (default) - do not verify 'typ' header parameter +=item tolerate_padding + +C<0> (default) - ignore Base64 padding characters when validating signature + +C<1> - take account of Base64 padding characters when validating signature + =back =head2 encode_jwt diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/lib/Crypt/KeyWrap.pm new/Crypt-JWT-0.037/lib/Crypt/KeyWrap.pm --- old/Crypt-JWT-0.036/lib/Crypt/KeyWrap.pm 2025-01-25 23:47:45.000000000 +0100 +++ new/Crypt-JWT-0.037/lib/Crypt/KeyWrap.pm 2025-04-27 16:47:50.000000000 +0200 @@ -3,7 +3,7 @@ use strict; use warnings; -our $VERSION = '0.036'; +our $VERSION = '0.037'; use Exporter 'import'; our %EXPORT_TAGS = ( all => [qw(aes_key_wrap aes_key_unwrap gcm_key_wrap gcm_key_unwrap pbes2_key_wrap pbes2_key_unwrap ecdh_key_wrap ecdh_key_unwrap ecdhaes_key_wrap ecdhaes_key_unwrap rsa_key_wrap rsa_key_unwrap)] ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Crypt-JWT-0.036/t/jws_with_padding.t new/Crypt-JWT-0.037/t/jws_with_padding.t --- old/Crypt-JWT-0.036/t/jws_with_padding.t 1970-01-01 01:00:00.000000000 +0100 +++ new/Crypt-JWT-0.037/t/jws_with_padding.t 2025-04-27 16:41:47.000000000 +0200 @@ -0,0 +1,42 @@ +use strict; +use warnings; +use Test::More; + +use Crypt::JWT qw(decode_jwt); + +my $ecc256Pub = <<'EOF'; +-----BEGIN PUBLIC KEY----- +MIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA/////wAAAAEAAAAA +AAAAAAAAAAD///////////////8wRAQg/////wAAAAEAAAAAAAAAAAAAAAD///// +//////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n0mBLBEEEaxfR +8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84z +V2sxXs7LtkBoN79R9QIhAP////8AAAAA//////////+85vqtpxeehPO5ysL8YyVR +AgEBA0IABLCZs5f55I9TnS52ClM2LY7Ui+9fVn1W7BAEmsgDbrY2J74jFoU+Rw4A +xlGgQNgAcsaX6u9exFUjJHQLL8wnZ0o= +-----END PUBLIC KEY----- +EOF + +# my $ecc256Priv = <<'EOF'; +# -----BEGIN EC PRIVATE KEY----- +# MIIBUQIBAQQg7hVSXtl+9yGHEYCsC6f11j/y3DX3NdDW0kQoO8EO9pmggeMwgeAC +# AQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAAAAAAAAAAAAAA//////////////// +# MEQEIP////8AAAABAAAAAAAAAAAAAAAA///////////////8BCBaxjXYqjqT57Pr +# vVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwRBBGsX0fLhLEJH+Lzm5WOkQPJ3A32BLesz +# oPShOUXYmMKWT+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfUCIQD///// +# AAAAAP//////////vOb6racXnoTzucrC/GMlUQIBAaFEA0IABLCZs5f55I9TnS52 +# ClM2LY7Ui+9fVn1W7BAEmsgDbrY2J74jFoU+Rw4AxlGgQNgAcsaX6u9exFUjJHQL +# L8wnZ0o= +# -----END EC PRIVATE KEY----- +# EOF + +my $token = 'eyJhbGciOiJFUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0=.FOGAeCGvhKs-sQPUWQEmpdM0kC_yfi986ZW7XoT4pnlTKRLn43wDw6zVHdzEFFuy_JgsQFGYCfJQQds-5FF05w=='; +my $decoded; + +$decoded = eval { decode_jwt(token => $token, decode_payload => 0, key => \$ecc256Pub) }; +is($decoded, undef, 'default (tolerate_padding => 0)'); +$decoded = eval { decode_jwt(token => $token, tolerate_padding => 0, decode_payload => 0, key => \$ecc256Pub) }; +is($decoded, undef, 'tolerate_padding => 0'); +$decoded = eval { decode_jwt(token => $token, tolerate_padding => 1, decode_payload => 0, key => \$ecc256Pub) }; +is($decoded, '{"hello":"world"}', 'tolerate_padding => 1'); + +done_testing;
