File CVE-2025-61920.patch of Package python-Authlib.41087

From 867e3f87b072347a1ae9cf6983cc8bbf88447e5e Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Thu, 2 Oct 2025 22:26:41 +0900
Subject: [PATCH] fix(jose): add size limitation to prevent DoS

---
 authlib/jose/rfc7515/jws.py |  5 +++++
 authlib/jose/util.py        |  6 ++++++
 tests/jose/test_jws.py      | 17 +++++++++++++++++
 3 files changed, 28 insertions(+)

Index: authlib-1.3.1/authlib/jose/rfc7515/jws.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7515/jws.py
+++ authlib-1.3.1/authlib/jose/rfc7515/jws.py
@@ -27,6 +27,8 @@ class JsonWebSignature:
         'typ', 'cty', 'crit'
     ])
 
+    MAX_CONTENT_LENGTH: int = 256000
+
     #: Defined available JWS algorithms in the registry
     ALGORITHMS_REGISTRY = {}
 
@@ -82,6 +84,9 @@ class JsonWebSignature:
 
         .. _`Section 7.1`: https://tools.ietf.org/html/rfc7515#section-7.1
         """
+        if len(s) > self.MAX_CONTENT_LENGTH:
+            raise ValueError("Serialization is too long.")
+
         try:
             s = to_bytes(s)
             signing_input, signature_segment = s.rsplit(b'.', 1)
Index: authlib-1.3.1/authlib/jose/util.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/util.py
+++ authlib-1.3.1/authlib/jose/util.py
@@ -4,6 +4,9 @@ from authlib.jose.errors import DecodeEr
 
 
 def extract_header(header_segment, error_cls):
+    if len(header_segment) > 256000:
+        raise ValueError("Value of header is too long")
+
     header_data = extract_segment(header_segment, error_cls, 'header')
 
     try:
@@ -17,6 +20,9 @@ def extract_header(header_segment, error
 
 
 def extract_segment(segment, error_cls, name='payload'):
+    if len(segment) > 256000:
+        raise ValueError(f"Value of {name} is too long")
+
     try:
         return urlsafe_b64decode(segment)
     except (TypeError, binascii.Error):
Index: authlib-1.3.1/tests/jose/test_jws.py
===================================================================
--- authlib-1.3.1.orig/tests/jose/test_jws.py
+++ authlib-1.3.1/tests/jose/test_jws.py
@@ -212,3 +212,17 @@ class JWSTest(unittest.TestCase):
         header, payload = data['header'], data['payload']
         self.assertEqual(payload, b'hello')
         self.assertEqual(header['alg'], 'ES256K')
+
+
+    def test_deserialize_exceeds_length(self):
+        jws = JsonWebSignature()
+        value = "aa" * 256000
+
+        # header exceeds length
+        self.assertRaises(ValueError, jws.deserialize, value + "." + value + "." + value, "")
+
+        # payload exceeds length
+        self.assertRaises(ValueError, jws.deserialize, "eyJhbGciOiJIUzI1NiJ9." + value + "." + value, "")
+
+        # signature exceeds length
+        self.assertRaises(ValueError, jws.deserialize, "eyJhbGciOiJIUzI1NiJ9.YQ." + value, "")