alistairwatts

I agree.

As I understand it concat_string is an internal function for revealing a string which has non-trivial construction within the source code. A contrived example for the injection_sql plugin would be...

I've created a more comprehensive pull request which includes tests: https://github.com/mpdavis/python-jose/pull/352

@heidemn-faro, if your application is not supporting encrypted tokens, then it doesn't look like the vulnerability affects you. You should be fine if you're not using `jose.jwe`, but please check...

Unfortunately the proposed fix just checks that the incoming uncompressed data is no more than than 250KB. I don't know what the maximum size a maliciously crafted 250KB token could...

I've already opened a pull request for a more robust fix. See https://github.com/mpdavis/python-jose/pull/352