diff options
| author | Scott Arciszewski <scott@arciszewski.me> | 2015-04-01 03:18:23 -0400 |
|---|---|---|
| committer | Scott Arciszewski <scott@arciszewski.me> | 2015-04-01 03:18:23 -0400 |
| commit | 485d4cb0358dd9bd7013d18b09f0232b79e0b1d5 (patch) | |
| tree | 5fc67107ff11654ae7b49ffc5f22521181931563 | |
| parent | 62345abe5eb33e167841485c596f3e7337812127 (diff) | |
| download | php-jwt-485d4cb0358dd9bd7013d18b09f0232b79e0b1d5.zip php-jwt-485d4cb0358dd9bd7013d18b09f0232b79e0b1d5.tar.gz php-jwt-485d4cb0358dd9bd7013d18b09f0232b79e0b1d5.tar.bz2 | |
Harden against mbstring.func_overload edge-cases
| -rw-r--r-- | Authentication/JWT.php | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 57541d3..1a78a32 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -192,13 +192,13 @@ class JWT case 'hash_hmac': default: $hash = hash_hmac($algo, $msg, $key, true); - $len = min(strlen($signature), strlen($hash)); + $len = min(self::safeStrlen($signature), self::safeStrlen($hash)); $status = 0; for ($i = 0; $i < $len; $i++) { $status |= (ord($signature[$i]) ^ ord($hash[$i])); } - $status |= (strlen($signature) ^ strlen($hash)); + $status |= (self::safeStrlen($signature) ^ self::safeStrlen($hash)); return ($status === 0); } @@ -308,6 +308,20 @@ class JWT } /** + * Get the number of bytes in cryptographic strings. + * + * @param string + * @return int + */ + private static function safeStrlen($str) + { + if (function_exists('mb_strlen')) { + return mb_strlen($str, '8bit'); + } + return strlen($str); + } + + /** * Set the only allowed method for this server. * * @ref https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ |