File CVE-2026-28490.patch of Package python-Authlib.43208

From 48b345f29f6c459f11c6a40162b6c0b742ef2e22 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Thu, 26 Feb 2026 00:10:46 +0800
Subject: [PATCH] fix(jose): remove deprecated algorithm from default registry

---
 authlib/jose/rfc7515/jws.py      |  8 ++++++--
 authlib/jose/rfc7515/models.py   |  1 +
 authlib/jose/rfc7516/jwe.py      | 14 +++++++++++---
 authlib/jose/rfc7516/models.py   |  1 +
 authlib/jose/rfc7518/jwe_algs.py |  1 +
 authlib/jose/rfc7518/jws_algs.py |  1 +
 6 files changed, 21 insertions(+), 5 deletions(-)

Index: authlib-1.3.1/authlib/jose/rfc7515/jws.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7515/jws.py
+++ authlib-1.3.1/authlib/jose/rfc7515/jws.py
@@ -249,12 +249,16 @@ class JsonWebSignature:
             raise MissingAlgorithmError()
 
         alg = header['alg']
-        if self._algorithms is not None and alg not in self._algorithms:
-            raise UnsupportedAlgorithmError()
         if alg not in self.ALGORITHMS_REGISTRY:
             raise UnsupportedAlgorithmError()
 
         algorithm = self.ALGORITHMS_REGISTRY[alg]
+        if self._algorithms is None:
+            if algorithm.deprecated:
+                raise UnsupportedAlgorithmError()
+        elif alg not in self._algorithms:
+            raise UnsupportedAlgorithmError()
+
         if callable(key):
             key = key(header, payload)
         key = algorithm.prepare_key(key)
Index: authlib-1.3.1/authlib/jose/rfc7515/models.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7515/models.py
+++ authlib-1.3.1/authlib/jose/rfc7515/models.py
@@ -4,6 +4,7 @@ class JWSAlgorithm:
     """
     name = None
     description = None
+    deprecated = False
     algorithm_type = 'JWS'
     algorithm_location = 'alg'
 
Index: authlib-1.3.1/authlib/jose/rfc7516/jwe.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7516/jwe.py
+++ authlib-1.3.1/authlib/jose/rfc7516/jwe.py
@@ -662,11 +662,19 @@ class JsonWebEncryption:
             raise MissingAlgorithmError()
 
         alg = header['alg']
-        if self._algorithms is not None and alg not in self._algorithms:
-            raise UnsupportedAlgorithmError()
         if alg not in self.ALG_REGISTRY:
             raise UnsupportedAlgorithmError()
-        return self.ALG_REGISTRY[alg]
+
+        instance = self.ALG_REGISTRY[alg]
+
+        # use all ALG_REGISTRY algorithms
+        if self._algorithms is None:
+            # do not use deprecated algorithms
+            if instance.deprecated:
+                raise UnsupportedAlgorithmError()
+        elif alg not in self._algorithms:
+            raise UnsupportedAlgorithmError()
+        return instance
 
     def get_header_enc(self, header):
         if 'enc' not in header:
Index: authlib-1.3.1/authlib/jose/rfc7516/models.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7516/models.py
+++ authlib-1.3.1/authlib/jose/rfc7516/models.py
@@ -9,6 +9,7 @@ class JWEAlgorithmBase(metaclass=ABCMeta
 
     name = None
     description = None
+    deprecated = False
     algorithm_type = 'JWE'
     algorithm_location = 'alg'
 
Index: authlib-1.3.1/authlib/jose/rfc7518/jwe_algs.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7518/jwe_algs.py
+++ authlib-1.3.1/authlib/jose/rfc7518/jwe_algs.py
@@ -52,6 +52,7 @@ class RSAAlgorithm(JWEAlgorithm):
 
     def __init__(self, name, description, pad_fn):
         self.name = name
+        self.deprecated = name == "RSA1_5"
         self.description = description
         self.padding = pad_fn
 
Index: authlib-1.3.1/authlib/jose/rfc7518/jws_algs.py
===================================================================
--- authlib-1.3.1.orig/authlib/jose/rfc7518/jws_algs.py
+++ authlib-1.3.1/authlib/jose/rfc7518/jws_algs.py
@@ -26,6 +26,7 @@ from .util import encode_int, decode_int
 class NoneAlgorithm(JWSAlgorithm):
     name = 'none'
     description = 'No digital signature or MAC performed'
+    deprecated = True
 
     def prepare_key(self, raw_data):
         return None
Index: authlib-1.3.1/tests/jose/test_jws.py
===================================================================
--- authlib-1.3.1.orig/tests/jose/test_jws.py
+++ authlib-1.3.1/tests/jose/test_jws.py
@@ -95,8 +95,8 @@ class JWSTest(unittest.TestCase):
         self.assertRaises(errors.BadSignatureError, jws.deserialize, s, ssh_pub_key)
 
     def test_compact_none(self):
-        jws = JsonWebSignature()
-        s = jws.serialize({'alg': 'none'}, 'hello', '')
+        jws = JsonWebSignature(algorithms=["none"])
+        s = jws.serialize({'alg': 'none'}, 'hello', None)
         self.assertRaises(errors.BadSignatureError, jws.deserialize, s, '')
 
     def test_flattened_json_jws(self):