diff options
| author | Brent Shaffer <betterbrent@google.com> | 2017-06-21 14:51:26 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-21 14:51:26 -0700 |
| commit | d67523fd6a2da172a196fe41a73ba5d4b563619f (patch) | |
| tree | 89c4bcebae4aab32efd291580240286f4e17f3dd | |
| parent | b2a53166f9e2d8958be837e1b368c0897fc52a77 (diff) | |
| download | php-jwt-d67523fd6a2da172a196fe41a73ba5d4b563619f.zip php-jwt-d67523fd6a2da172a196fe41a73ba5d4b563619f.tar.gz php-jwt-d67523fd6a2da172a196fe41a73ba5d4b563619f.tar.bz2 | |
Detect invalid Base64 encoding in signature (#162)
| -rw-r--r-- | src/JWT.php | 5 | ||||
| -rw-r--r-- | tests/JWTTest.php | 7 |
2 files changed, 10 insertions, 2 deletions
diff --git a/src/JWT.php b/src/JWT.php index 814afc0..cb1ca7d 100644 --- a/src/JWT.php +++ b/src/JWT.php @@ -87,8 +87,9 @@ class JWT if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) { throw new UnexpectedValueException('Invalid claims encoding'); } - $sig = static::urlsafeB64Decode($cryptob64); - + if (false === ($sig = static::urlsafeB64Decode($cryptob64))) { + throw new UnexpectedValueException('Invalid signature encoding'); + } if (empty($header->alg)) { throw new UnexpectedValueException('Empty algorithm'); } diff --git a/tests/JWTTest.php b/tests/JWTTest.php index 99ae9c3..804a376 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -267,6 +267,13 @@ class JWTTest extends PHPUnit_Framework_TestCase JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256')); } + public function testInvalidSignatureEncoding() + { + $msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx"; + $this->setExpectedException('UnexpectedValueException'); + JWT::decode($msg, 'secret', array('HS256')); + } + public function testVerifyError() { $this->setExpectedException('DomainException'); |