Overview

File CVE-2026-28498.patch of Package python-Authlib.43208

From b9bb2b25bf8b7e01512d847a95c1749646eaa72b Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Sun, 1 Mar 2026 00:30:33 +0900
Subject: [PATCH] fix(oidc): fail close at validating c_hash and at_hash

---
 authlib/oidc/core/claims.py       |  4 ++--
 tests/core/test_oidc/test_core.py | 10 ++++++----
 2 files changed, 8 insertions(+), 6 deletions(-)

Index: authlib-1.3.1/authlib/oidc/core/claims.py
===================================================================
--- authlib-1.3.1.orig/authlib/oidc/core/claims.py
+++ authlib-1.3.1/authlib/oidc/core/claims.py
@@ -237,6 +237,6 @@ def get_claim_cls_by_response_type(respo
 
 def _verify_hash(signature, s, alg):
     hash_value = create_half_hash(s, alg)
-    if not hash_value:
-        return True
+    if hash_value is None:
+        return False
     return hmac.compare_digest(hash_value, to_bytes(signature))
Index: authlib-1.3.1/tests/core/test_oidc/test_core.py
===================================================================
--- authlib-1.3.1.orig/tests/core/test_oidc/test_core.py
+++ authlib-1.3.1/tests/core/test_oidc/test_core.py
@@ -1,4 +1,5 @@
 import unittest
+import pytest
 from authlib.jose.errors import MissingClaimError, InvalidClaimError
 from authlib.oidc.core import CodeIDToken, ImplicitIDToken, HybridIDToken
 from authlib.oidc.core import UserInfo, get_claim_cls_by_response_type
@@ -85,9 +86,10 @@ class IDTokenTest(unittest.TestCase):
         }, {})
         claims.params = {'access_token': 'a'}
 
-        # invalid alg won't raise
+        # invalid alg will raise too
         claims.header = {'alg': 'HS222'}
-        claims.validate(1000)
+        with pytest.raises(InvalidClaimError):
+            claims.validate(1000)
 
         claims.header = {'alg': 'HS256'}
         self.assertRaises(InvalidClaimError, claims.validate, 1000)
@@ -118,10 +120,11 @@ class IDTokenTest(unittest.TestCase):
         claims.params = {'code': 'a'}
         self.assertRaises(MissingClaimError, claims.validate, 1000)
 
-        # invalid alg won't raise
+        # invalid alg will raise too
         claims.header = {'alg': 'HS222'}
         claims['c_hash'] = 'a'
-        claims.validate(1000)
+        with pytest.raises(InvalidClaimError):
+            claims.validate(1000)
 
         claims.header = {'alg': 'HS256'}
         self.assertRaises(InvalidClaimError, claims.validate, 1000)
openSUSE Build Service is sponsored by
Places