diff --git a/src/JWT.php b/src/JWT.php index 814afc0a..cb1ca7d1 100644 --- a/src/JWT.php +++ b/src/JWT.php @@ -87,8 +87,9 @@ public static function decode($jwt, $key, $allowed_algs = array()) if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) { throw new UnexpectedValueException('Invalid claims encoding'); } - $sig = static::urlsafeB64Decode($cryptob64); - + if (false === ($sig = static::urlsafeB64Decode($cryptob64))) { + throw new UnexpectedValueException('Invalid signature encoding'); + } if (empty($header->alg)) { throw new UnexpectedValueException('Empty algorithm'); } diff --git a/tests/JWTTest.php b/tests/JWTTest.php index 99ae9c38..804a3769 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -267,6 +267,13 @@ public function testInvalidSegmentCount() JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256')); } + public function testInvalidSignatureEncoding() + { + $msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx"; + $this->setExpectedException('UnexpectedValueException'); + JWT::decode($msg, 'secret', array('HS256')); + } + public function testVerifyError() { $this->setExpectedException('DomainException');