Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge release 4.0.4 into 4.1.x #788

Merged
merged 4 commits into from
Sep 28, 2021
Merged

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Sep 28, 2021

Release Notes for 4.0.4

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

4.0.4

  • Total issues resolved: 1
  • Total pull requests resolved: 0
  • Total contributors: 0

lcobucci and others added 4 commits September 27, 2021 15:28
It seems that dependabot is always using the lowest supported version of
PHP 7.4, which forces composer to install `ocramius/package-versions`
v1.9 instead of v2.1.

We'll handle this on the latest development branch.
On v3.4.0 we introduced the
`Lcobucci\JWT\Signer\Key\LocalFileReference`, which was designed to be
used with OpenSSL-based algorithms and avoid having to load the file
contents into user-land to sign/verify tokens.

However, other algorithms don't understand the scheme `file://` and will
incorrectly use the file path as the signing key.

This modifies and deprecates `LocalFileReference` to avoid that
misleading behaviour.

Co-authored-by: Anton Smirnov <[email protected]>
Co-authored-by: Marco Pivetta <[email protected]>
Ensure key contents is used for all hashing algorithms
@lcobucci lcobucci self-assigned this Sep 28, 2021
@lcobucci lcobucci added this to the 4.1.5 milestone Sep 28, 2021
@lcobucci lcobucci merged commit fe2d89f into 4.1.x Sep 28, 2021
@lcobucci lcobucci deleted the 4.0.x-merge-up-into-4.1.x_7QZpeQfq branch September 28, 2021 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant