Merge pull request #63 from sirosen/fix-cve-2017-11424

Fix for CVE-2017-11424
mpdavis · Sep 1, 2017 · 7569fdf · 7569fdf
2 parents b54c12a + 5bc7470
commit 7569fdf
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,4 +1,7 @@
 sudo: false
+# Travis infra requires pinning dist:precise, at least as of 2017-09-01
+# detail: https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch
+dist: precise
 language: python
 python:
   - "2.6"

diff --git a/jose/jwk.py b/jose/jwk.py
@@ -105,6 +105,7 @@ def __init__(self, key, algorithm):
 
         invalid_strings = [
             b'-----BEGIN PUBLIC KEY-----',
+            b'-----BEGIN RSA PUBLIC KEY-----',
             b'-----BEGIN CERTIFICATE-----',
             b'ssh-rsa'
         ]

diff --git a/tests/algorithms/test_HMAC.py b/tests/algorithms/test_HMAC.py
@@ -17,6 +17,10 @@ def test_RSA_key(self):
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
+        key = "-----BEGIN RSA PUBLIC KEY-----"
+        with pytest.raises(JOSEError):
+            HMACKey(key, ALGORITHMS.HS256)
+
         key = "-----BEGIN CERTIFICATE-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)