Add warning when decoding with no algorithms specifiedfix-vuln

author: José Padilla <jpadilla@webapplicate.com> 2017-06-21 16:04:35 -0400
committer: José Padilla <jpadilla@webapplicate.com> 2017-06-21 16:04:35 -0400
commit: 10b13525f51fe55872b789afa4215820d99d63dd (patch)
tree: 48c82d466883497f39abef333c09836cde507b14 /jwt/api_jws.py
parent: 1922f0972b065077404c0dafa0946f2132400a2b (diff)
download: pyjwt-fix-vuln.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/jwt/api_jws.py b/jwt/api_jws.py
index 8910751..097b46a 100644
--- a/jwt/api_jws.py
+++ b/jwt/api_jws.py
@@ -117,6 +117,12 @@ class PyJWS(object):
 
     def decode(self, jws, key='', verify=True, algorithms=None, options=None,
                **kwargs):
+
+        if not algorithms:
+            warnings.warn('The algorithms parameter is required when decoding. ' +
+                          'Please specify only the expected algorithms.',
+                          DeprecationWarning)
+
         payload, signing_input, header, signature = self._load(jws)
 
         if verify:
author	José Padilla <jpadilla@webapplicate.com>	2017-06-21 16:04:35 -0400
committer	José Padilla <jpadilla@webapplicate.com>	2017-06-21 16:04:35 -0400
commit	10b13525f51fe55872b789afa4215820d99d63dd (patch)
tree	48c82d466883497f39abef333c09836cde507b14 /jwt/api_jws.py
parent	1922f0972b065077404c0dafa0946f2132400a2b (diff)
download	pyjwt-fix-vuln.tar.gz