Seems client can pass any token with none algo

GehirnInc / python-jwt

JSON Web Token library for Python

https://pypi.python.org/pypi/jwt

Apache License 2.0

145 stars 30 forks source link

Seems client can pass any token with none algo #19

Closed baverman closed 5 years ago

baverman commented 5 years ago

There is no list of acceptable algos in decode method and attacker can forge token with none algo and it will be valid.

mmakaay commented 5 years ago

Yes, I just ran into the same issue while testing out this library, and for that reason switched to a different implementation. The "none" algorithm attack is well known and should really be fixed. For some more information: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/

yosida95 commented 5 years ago

Thank you both for notifying about use of none algorithm.

I'm aware of this vector and have implemented algorithms parameter on JWT.decode which for explicitly specify algorithms to be used on a1dc918f100a0d3eb203a78ba5625ad0b7e0e7f6. In addition, drop none algorithm from supported_signing_algorithms by default.

I will publish this version on PyPI soon.

yosida95 commented 5 years ago

I have just release v0.6.0.

Thank you.