From 130edde6cad0ccd2da62941c1dc659179ffac187 Mon Sep 17 00:00:00 2001 From: Chris Caron Date: Thu, 3 Oct 2024 22:11:53 -0400 Subject: [PATCH] Added disclaimer for AES-CBC-128 weakness with simplepush:// (#1215) --- apprise/plugins/simplepush.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/apprise/plugins/simplepush.py b/apprise/plugins/simplepush.py index 023fcf9d..f66b64c3 100644 --- a/apprise/plugins/simplepush.py +++ b/apprise/plugins/simplepush.py @@ -177,7 +177,25 @@ class NotifySimplePush(NotifyBase): padder = padding.PKCS7(algorithms.AES.block_size).padder() content = padder.update(content.encode()) + padder.finalize() + # + # Encryption Notice + # + # CBC mode doesn't provide integrity guarantees. Unless the message + # authentication for IV and the ciphertext are applied, it will be + # vulnerable to a padding oracle attack + + # It is important to identify that both the Apprise package and team + # recognizes this AES-CBC-128 weakness but requires that it exists due + # to it being the SimplePush Requirement as documented on their + # website here https://simplepush.io/features. + + # In the event the website link above does not exist/work, a screen + # capture of the reference to the requirement for this encryption + # can also be found on the Apprise SimplePush Wiki: + # https://github.com/caronc/apprise/wiki/Notify_simplepush\ + # #lock-aes-cbc-128-encryption-weakness + # encryptor = Cipher( algorithms.AES(self._key), modes.CBC(self._iv),