omufeed
commented
4 months ago Is this repository still maintained? Would be great to check and merge this PR.
Open alistairwatts opened 5 months ago
omufeed
commented
4 months ago Is this repository still maintained? Would be great to check and merge this PR.
Shinnnyshinshin
commented
4 months ago Thank you for this work @alistairwatts. Would love to see this PR go in.
CharlesPerrotMinotHCHB
commented
4 months ago Let's try pinging @asherf and @mpdavis
smittysmee
commented
4 months ago @mpdavis
maciejstromich
commented
4 months ago if @mpdavis does not work maybe @michaeldavis-wf will?
twwildey
commented
4 months ago Can you rebase your changes onto the latest master branch and force-update your branch for this PR?
nicholas-quirk-mass-gov
commented
4 months ago @alistairwatts
CharlesPerrotMinotHCHB
commented
4 months ago @twwildey
phasath
commented
2 weeks ago Any updates here?
This fix for CVE-2024-33664 ensures that any incoming JWE is under 250K, which seems to be a sensible, albeit large limit. The specific fix for the "zip bomb" issue ensures that we decompress no more that 250K of data. If that limit is reached then a JWEError is raised.
There's rough symmetry here ensuring that both compressed and uncompressed JWE data is no more than 250K.