Skip to content

Commit

Permalink
Detect invalid Base64 encoding in signature (#162)
Browse files Browse the repository at this point in the history
  • Loading branch information
bshaffer authored Jun 21, 2017
1 parent b2a5316 commit d67523f
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
5 changes: 3 additions & 2 deletions src/JWT.php
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,9 @@ public static function decode($jwt, $key, $allowed_algs = array())
if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
throw new UnexpectedValueException('Invalid claims encoding');
}
$sig = static::urlsafeB64Decode($cryptob64);

if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
throw new UnexpectedValueException('Invalid signature encoding');
}
if (empty($header->alg)) {
throw new UnexpectedValueException('Empty algorithm');
}
Expand Down
7 changes: 7 additions & 0 deletions tests/JWTTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,13 @@ public function testInvalidSegmentCount()
JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256'));
}

public function testInvalidSignatureEncoding()
{
$msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx";
$this->setExpectedException('UnexpectedValueException');
JWT::decode($msg, 'secret', array('HS256'));
}

public function testVerifyError()
{
$this->setExpectedException('DomainException');
Expand Down

0 comments on commit d67523f

Please sign in to comment.