Merge pull request #158 from aymanosman/main

fix links to blog post about critical vulnerabilities
potatosalad · Apr 7, 2024 · dc4720a · dc4720a
2 parents 5ccff06 + c532d45
commit dc4720a
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -353,7 +353,7 @@ iex> JOSE.JWS.merge(jws, %{"typ" => "JWT"}) |> JOSE.JWS.to_map |> elem(1)
 ## 1.4.0 (2015-11-17)
 
 * Enhancements
-  * Added `JOSE.unsecured_signing/0` and `JOSE.unsecured_signing/1` for disabling the `"none"` algorithm due to the [unsecured signing vulnerability](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/) and in relation to #10
+  * Added `JOSE.unsecured_signing/0` and `JOSE.unsecured_signing/1` for disabling the `"none"` algorithm due to the [unsecured signing vulnerability](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/) and in relation to #10
   * Added `JOSE.JWK.verify_strict/3`, `JOSE.JWS.verify_strict/3`, and `JOSE.JWT.verify_strict/3` for whitelisting which signing algorithms are allowed for verification.
   * Added `JOSE.JWT.peek_payload/1` and `JOSE.JWT.peek_protected/1` for inspecting the payload and protected parts of a signature.
 

diff --git a/README.md b/README.md
@@ -203,7 +203,7 @@ JOSE.JWA.supports()
 
 #### Unsecured Signing Vulnerability
 
-The [`"none"`](https://tools.ietf.org/html/rfc7515#appendix-A.5) signing algorithm is disabled by default to prevent accidental verification of empty signatures (read about the vulnerability [here](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)).
+The [`"none"`](https://tools.ietf.org/html/rfc7515#appendix-A.5) signing algorithm is disabled by default to prevent accidental verification of empty signatures (read about the vulnerability [here](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)).
 
 If you want to further restrict the signature algorithms allowed for a token, use `JOSE.JWT.verify_strict/3`:
 

diff --git a/lib/jose.ex b/lib/jose.ex
@@ -168,7 +168,7 @@ defmodule JOSE do
 
   Enables/disables the `"none"` algorithm used for signing and verifying.
 
-  See [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/) for more information.
+  See [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/) for more information.
   """
   @spec unsecured_signing(boolean()) :: :ok
   defdelegate unsecured_signing(boolean), to: :jose

diff --git a/lib/jose/jws.ex b/lib/jose/jws.ex
@@ -8,7 +8,7 @@ defmodule JOSE.JWS do
 
   The [`"none"`](https://tools.ietf.org/html/rfc7515#appendix-A.5) signing
   algorithm is disabled by default to prevent accidental verification of empty
-  signatures (read about the vulnerability [here](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/)).
+  signatures (read about the vulnerability [here](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)).
 
   You may also enable the `"none"` algorithm as an application environment
   variable for `:jose` or by using `JOSE.unsecured_signing/1`.