Merge pull request jpadilla#66 from wbolster/issue-65

jpadilla · jpadilla · commit f3276d82cf87 · 2015-01-06T09:09:14.000-04:00
Verify that decoded header and payload are json objects
diff --git a/jwt/__init__.py b/jwt/__init__.py
@@ -340,6 +340,8 @@ def load(jwt):
         header = json.loads(header_data.decode('utf-8'))
     except ValueError as e:
         raise DecodeError('Invalid header string: %s' % e)
+    if not isinstance(header, Mapping):
+        raise DecodeError('Invalid header string: must be a json object')
 
     try:
         payload_data = base64url_decode(payload_segment)
@@ -349,6 +351,8 @@ def load(jwt):
         payload = json.loads(payload_data.decode('utf-8'))
     except ValueError as e:
         raise DecodeError('Invalid payload string: %s' % e)
+    if not isinstance(payload, Mapping):
+        raise DecodeError('Invalid payload string: must be a json object')
 
     try:
         signature = base64url_decode(crypto_segment)
