diff options
| -rw-r--r-- | Authentication/JWT.php | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/Authentication/JWT.php b/Authentication/JWT.php index 57541d3..1a78a32 100644 --- a/Authentication/JWT.php +++ b/Authentication/JWT.php @@ -192,13 +192,13 @@ class JWT case 'hash_hmac': default: $hash = hash_hmac($algo, $msg, $key, true); - $len = min(strlen($signature), strlen($hash)); + $len = min(self::safeStrlen($signature), self::safeStrlen($hash)); $status = 0; for ($i = 0; $i < $len; $i++) { $status |= (ord($signature[$i]) ^ ord($hash[$i])); } - $status |= (strlen($signature) ^ strlen($hash)); + $status |= (self::safeStrlen($signature) ^ self::safeStrlen($hash)); return ($status === 0); } @@ -308,6 +308,20 @@ class JWT } /** + * Get the number of bytes in cryptographic strings. + * + * @param string + * @return int + */ + private static function safeStrlen($str) + { + if (function_exists('mb_strlen')) { + return mb_strlen($str, '8bit'); + } + return strlen($str); + } + + /** * Set the only allowed method for this server. * * @ref https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ |