Also make sure audience claims in token contain only strings

The spec mandates that the audience claims must be strings (or a single
string). Without this check, an `audience=None` argument to decode()
would succeeed when the token contained a claim like ['urn:foo', null].

Author: wbolster-eiq

jwt/__init__.py

@@ -434,6 +434,8 @@ def verify_signature(payload, signing_input, header, signature, key='',
             audience_claims = [audience_claims]
         if not isinstance(audience_claims, list):
             raise InvalidAudienceError('Invalid claim format in token')
+        if any(not isinstance(c, basestring) for c in audience_claims):
+            raise InvalidAudienceError('Invalid claim format in token')
         if audience not in audience_claims:
             raise InvalidAudienceError('Invalid audience')
     elif audience is not None: