A followup note: it was pointed out in https://www.timmclean.net/2015/03/31/jwt-algorithm-confusion.html that the algorithm requested in the jwt protocol is under attacker control and can be specified as 'None'. This is covered by the upstream bug reports https://github.com/jpadilla/pyjwt/issues/106 and fixed in commit https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a .
We should either cherry pick that commit or pull in the 1.0.0 release, which was the first release to include it, and also includes the improvement that allows whitelisting which specific algorithms are permitted (commit https://github.com/jpadilla/pyjwt/pull/110). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1427852 Title: [MIR] pyjwt (b-d of python-oauthlib) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pyjwt/+bug/1427852/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
