This sounds like it must be limited to PKI/PKIZ tokens? Fernet tokens would fail their HMAC and there is no room to manipulate UUID tokens unless you're guessing a completely different one.
In the script to reproduce, mutating token_bin[1] would be manipulating the CMS length prefix (MIIE-*, etc), in which case, I wonder if there's a bug in openssl?
Jeremy: please don't open this bug just because the paste is public. There's nothing in the paste that shouts "security vulnerability," and we should certainly have the ability to delete pastes (and move them here), no?
This sounds like it must be limited to PKI/PKIZ tokens? Fernet tokens would fail their HMAC and there is no room to manipulate UUID tokens unless you're guessing a completely different one.
In the script to reproduce, mutating token_bin[1] would be manipulating the CMS length prefix (MIIE-*, etc), in which case, I wonder if there's a bug in openssl?
Jeremy: please don't open this bug just because the paste is public. There's nothing in the paste that shouts "security vulnerability," and we should certainly have the ability to delete pastes (and move them here), no?