Merge pull request #63 from sirosen/fix-cve-2017-11424

mpdavis · web-flow · commit 7569fdf59605 · 2017-09-01T11:04:37.000-05:00
Fix for CVE-2017-11424
diff --git a/.travis.yml b/.travis.yml
@@ -1,4 +1,7 @@
 sudo: false
+# Travis infra requires pinning dist:precise, at least as of 2017-09-01
+# detail: https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch
+dist: precise
 language: python
 python:
   - "2.6"
diff --git a/jose/jwk.py b/jose/jwk.py
@@ -105,6 +105,7 @@ def __init__(self, key, algorithm):
 
         invalid_strings = [
             b'-----BEGIN PUBLIC KEY-----',
+            b'-----BEGIN RSA PUBLIC KEY-----',
             b'-----BEGIN CERTIFICATE-----',
             b'ssh-rsa'
         ]
diff --git a/tests/algorithms/test_HMAC.py b/tests/algorithms/test_HMAC.py
@@ -17,6 +17,10 @@ def test_RSA_key(self):
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
 
+        key = "-----BEGIN RSA PUBLIC KEY-----"
+        with pytest.raises(JOSEError):
+            HMACKey(key, ALGORITHMS.HS256)
+
         key = "-----BEGIN CERTIFICATE-----"
         with pytest.raises(JOSEError):
             HMACKey(key, ALGORITHMS.HS256)
