extern/apprise
1
0
Fork 0
mirror of https://github.com/caronc/apprise.git synced 2024-11-25 01:24:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added disclaimer for AES-CBC-128 weakness with simplepush:// (#1215)

Browse Source
This commit is contained in:
Chris Caron 2024-10-03 22:11:53 -04:00 committed by GitHub
parent f656069e4a
commit 130edde6ca
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apprise/plugins/simplepush.py
View File

@ -177,7 +177,25 @@ class NotifySimplePush(NotifyBase):
padder = padding.PKCS7(algorithms.AES.block_size).padder() padder = padding.PKCS7(algorithms.AES.block_size).padder()
content = padder.update(content.encode()) + padder.finalize() content = padder.update(content.encode()) + padder.finalize()
#
# Encryption Notice
#
# CBC mode doesn't provide integrity guarantees. Unless the message
# authentication for IV and the ciphertext are applied, it will be
# vulnerable to a padding oracle attack
# It is important to identify that both the Apprise package and team
# recognizes this AES-CBC-128 weakness but requires that it exists due
# to it being the SimplePush Requirement as documented on their
# website here https://simplepush.io/features.
# In the event the website link above does not exist/work, a screen
# capture of the reference to the requirement for this encryption
# can also be found on the Apprise SimplePush Wiki:
# https://github.com/caronc/apprise/wiki/Notify_simplepush\
# #lock-aes-cbc-128-encryption-weakness
#
encryptor = Cipher( encryptor = Cipher(
algorithms.AES(self._key), algorithms.AES(self._key),
modes.CBC(self._iv), modes.CBC(self._iv),