Skip to content

Commit

Permalink
Added disclaimer for AES-CBC-128 weakness with simplepush:// (#1215)
Browse files Browse the repository at this point in the history
  • Loading branch information
caronc authored Oct 4, 2024
1 parent f656069 commit 130edde
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion apprise/plugins/simplepush.py
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,25 @@ def _encrypt(self, content):

padder = padding.PKCS7(algorithms.AES.block_size).padder()
content = padder.update(content.encode()) + padder.finalize()

#
# Encryption Notice
#

# CBC mode doesn't provide integrity guarantees. Unless the message
# authentication for IV and the ciphertext are applied, it will be
# vulnerable to a padding oracle attack

# It is important to identify that both the Apprise package and team
# recognizes this AES-CBC-128 weakness but requires that it exists due
# to it being the SimplePush Requirement as documented on their
# website here https://simplepush.io/features.

# In the event the website link above does not exist/work, a screen
# capture of the reference to the requirement for this encryption
# can also be found on the Apprise SimplePush Wiki:
# https://github.com/caronc/apprise/wiki/Notify_simplepush\
# #lock-aes-cbc-128-encryption-weakness
#
encryptor = Cipher(
algorithms.AES(self._key),
modes.CBC(self._iv),
Expand Down

0 comments on commit 130edde

Please sign in to comment.