python-jose/CVE-2024-33664.patch

diff -Naur python-jose-3.3.0/jose/jwe.py python-jose-3.3.0_cve/jose/jwe.py
--- python-jose-3.3.0/jose/jwe.py	2021-06-05 00:11:22.000000000 +0800
+++ python-jose-3.3.0_cve/jose/jwe.py	2024-04-26 17:33:01.319314391 +0800
@@ -76,6 +76,10 @@
         >>> jwe.decrypt(jwe_string, 'asecret128bitkey')
         'Hello, World!'
     """
+    # limit the token size to 250 KB
+    if len(jwe_str) > 250 * 1024:
+        raise JWEError("JWE string exceeds 250 KB")
+ 
     header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)
 
     # Verify that the implementation understands and can process all
fix CVE-2024-33664 2024-04-26 17:38:01 +08:00			`diff -Naur python-jose-3.3.0/jose/jwe.py python-jose-3.3.0_cve/jose/jwe.py`
			`--- python-jose-3.3.0/jose/jwe.py 2021-06-05 00:11:22.000000000 +0800`
			`+++ python-jose-3.3.0_cve/jose/jwe.py 2024-04-26 17:33:01.319314391 +0800`
			`@@ -76,6 +76,10 @@`
			`>>> jwe.decrypt(jwe_string, 'asecret128bitkey')`
			`'Hello, World!'`
			`"""`
			`+ # limit the token size to 250 KB`
			`+ if len(jwe_str) > 250 * 1024:`
			`+ raise JWEError("JWE string exceeds 250 KB")`
			`+`
			`header, encoded_header, encrypted_key, iv, cipher_text, auth_tag = _jwe_compact_deserialize(jwe_str)`

			`# Verify that the implementation understands and can process all`