Skip to content

openbadgeslib 1.1.6

Choose a tag to compare

@luisgf luisgf released this 01 Jul 08:18

Patch release closing the security & correctness audit backlog accumulated since v1.1.5 — 49 fixes across OB2/OB3 verification, the JWS engine, config parsing, and the CLI entrypoints. No API changes, no new dependencies; a drop-in upgrade.

Security

  • OB2 revocation no longer fails open on a falsy reason. A revoked serial whose issuer-published reason was "", null, false, or 0 was reported VALID instead of REVOKED. A matched serial is now always honored as revoked.
  • JWS: a private key supplied where a public verify key is expected is treated as a failed signature (SignatureError) instead of crashing with a raw AttributeError — closes a remotely-triggerable crash on the OB2 badge-embedded-key fallback path.
  • OB3 independently re-validates vc.validUntil/vc.validFrom against wall-clock time instead of trusting only the JWT exp claim, so an expired or not-yet-valid credential is rejected even if the JWT claim is decoupled from the vc-level dates.
  • download_file() rejects an HTTP redirect to a non-HTTPS target, closing a TLS scheme-downgrade gap in the HTTPS-only enforcement for the OB2 verify key, issuer document, and revocation list.
  • download_file() caps the response body at 5 MiB, bounding memory use against an attacker-influenced URL.

Correctness & robustness

The verify/sign/CLI boundaries no longer leak raw KeyError/TypeError/AttributeError/ValueError/OSError tracebacks on malformed or hostile input. Highlights: every _jws exception now inherits LibOpenBadgesException; OB2 read_from_file / check_revocation / check_expiration and OB3 credential parsing reject non-object/non-string claims with typed errors; malformed config.ini (bad INI syntax, unresolvable ${...} interpolation, encoding mismatch, missing/empty [paths] base) exits every CLI cleanly with a [!] … message; openbadges-init/-publish exit cleanly on an existing target and restore the process umask in a try/finally; recipient mailto: binding is compared case-insensitively.

See Changelog.txt for the complete, itemized list.