Summary
The wrong string if check is run for iss
checking, resulting in "acb"
being accepted for "_abc_"
.
Details
This is a bug introduced in version 2.10.0: checking the "iss" claim
changed from isinstance(issuer, list)
to isinstance(issuer, Sequence)
.
- if isinstance(issuer, list):
+ if isinstance(issuer, Sequence):
if payload["iss"] not in issuer:
raise InvalidIssuerError("Invalid issuer")
else:
Since str is a Sequnce, but not a list, in
is also used for string
comparison. This results in if "abc" not in "__abcd__":
being
checked instead of if "abc" != "__abc__":
.
PoC
Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm
issuer = "urn:expected"
payload = {"iss": "urn:"}
token = jwt.encode(payload, "secret")
# decode() succeeds, even though `"urn:" != "urn:expected". No exception is raised.
with pytest.raises(InvalidIssuerError):
jwt.decode(token, "secret", issuer=issuer, algorithms=["HS256"])
Impact
I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.
Summary
The wrong string if check is run for
iss
checking, resulting in"acb"
being accepted for"_abc_"
.Details
This is a bug introduced in version 2.10.0: checking the "iss" claim
changed from
isinstance(issuer, list)
toisinstance(issuer, Sequence)
.Since str is a Sequnce, but not a list,
in
is also used for stringcomparison. This results in
if "abc" not in "__abcd__":
beingchecked instead of
if "abc" != "__abc__":
.PoC
Check out the unit tests added here: https://github.com/jpadilla/pyjwt-ghsa-75c5-xw7c-p5pm
Impact
I would say the real world impact is not that high, seeing as the signature still has to match. We should still fix it.