From 3bea812acefebc9ee108aa24557be3ba8971daf1 Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Tue, 4 Jun 2024 11:34:43 +0900
Subject: [PATCH 1/2] fix: prevent OctKey to import ssh/rsa/pem keys

https://github.com/lepture/authlib/issues/654
---
 authlib/jose/rfc7518/oct_key.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/authlib/jose/rfc7518/oct_key.py b/authlib/jose/rfc7518/oct_key.py
index 1db321a7..44e1f724 100644
--- a/authlib/jose/rfc7518/oct_key.py
+++ b/authlib/jose/rfc7518/oct_key.py
@@ -6,6 +6,16 @@
 from ..rfc7517 import Key
 
 
+POSSIBLE_UNSAFE_KEYS = (
+    b"-----BEGIN ",
+    b"---- BEGIN ",
+    b"ssh-rsa ",
+    b"ssh-dss ",
+    b"ssh-ed25519 ",
+    b"ecdsa-sha2-",
+)
+
+
 class OctKey(Key):
     """Key class of the ``oct`` key type."""
 
@@ -65,6 +75,11 @@ def import_key(cls, raw, options=None):
             key._dict_data = raw
         else:
             raw_key = to_bytes(raw)
+
+            # security check
+            if raw_key.startswith(POSSIBLE_UNSAFE_KEYS):
+                raise ValueError("This key may not be safe to import")
+
             key = cls(raw_key=raw_key, options=options)
         return key
 

From df226ab587c453029ef5083a7e1c5dc6772647dd Mon Sep 17 00:00:00 2001
From: Hsiaoming Yang <me@lepture.com>
Date: Tue, 4 Jun 2024 11:38:10 +0900
Subject: [PATCH 2/2] chore: release 1.3.1

---
 authlib/consts.py     | 2 +-
 docs/changelog.rst    | 8 ++++++++
 docs/conf.py          | 9 ++-------
 docs/requirements.txt | 6 +++---
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/authlib/consts.py b/authlib/consts.py
index e310e793..0eff0669 100644
--- a/authlib/consts.py
+++ b/authlib/consts.py
@@ -1,5 +1,5 @@
 name = 'Authlib'
-version = '1.3.0'
+version = '1.3.1'
 author = 'Hsiaoming Yang <me@lepture.com>'
 homepage = 'https://authlib.org/'
 default_user_agent = f'{name}/{version} (+{homepage})'
diff --git a/docs/changelog.rst b/docs/changelog.rst
index 37faeb65..bd7892ec 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -6,6 +6,14 @@ Changelog
 
 Here you can see the full list of changes between each Authlib release.
 
+Version 1.3.1
+-------------
+
+**Released on June 4, 2024**
+
+- Prevent ``OctKey`` to import ssh and PEM strings.
+
+
 Version 1.3.0
 -------------
 
diff --git a/docs/conf.py b/docs/conf.py
index 7ba1f6e6..8ea1905e 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -35,15 +35,10 @@
 }
 html_favicon = '_static/icon.svg'
 html_theme_options = {
-    'og_image_url': 'https://authlib.org/logo.png',
+    "accent_color": "blue",
+    "og_image_url": 'https://authlib.org/logo.png',
     "light_logo": "_static/light-logo.svg",
     "dark_logo": "_static/dark-logo.svg",
-    "light_css_variables": {
-        "--sy-rc-theme": "62,127,203",
-    },
-    "dark_css_variables": {
-        "--sy-rc-theme": "102,173,255",
-    },
     "twitter_site": "authlib",
     "twitter_creator": "lepture",
     "twitter_url": "https://twitter.com/authlib",
diff --git a/docs/requirements.txt b/docs/requirements.txt
index cdf3ad8c..a04dd374 100644
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -7,7 +7,7 @@ requests
 httpx>=0.18.2
 starlette
 
-sphinx==6.2.1
-sphinx-design==0.4.1
-sphinx-copybutton==0.5.2
+sphinx
+sphinx-design
+sphinx-copybutton
 shibuya