Detect invalid Base64 encoding in signature (#162)

bshaffer · web-flow · commit d67523fd6a2d · 2017-06-21T14:51:26.000-07:00
diff --git a/src/JWT.php b/src/JWT.php
@@ -87,8 +87,9 @@ public static function decode($jwt, $key, $allowed_algs = array())
         if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
-        $sig = static::urlsafeB64Decode($cryptob64);
-
+        if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
+            throw new UnexpectedValueException('Invalid signature encoding');
+        }
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
         }
diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -267,6 +267,13 @@ public function testInvalidSegmentCount()
         JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256'));
     }
 
+    public function testInvalidSignatureEncoding()
+    {
+        $msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx";
+        $this->setExpectedException('UnexpectedValueException');
+        JWT::decode($msg, 'secret', array('HS256'));
+    }
+
     public function testVerifyError()
     {
         $this->setExpectedException('DomainException');

Original file line number	Diff line number	Diff line change
`@@ -87,8 +87,9 @@ public static function decode($jwt, $key, $allowed_algs = array())`
`87`	`87`	`if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {`
`88`	`88`	`throw new UnexpectedValueException('Invalid claims encoding');`
`89`	`89`	`}`
`90`		`- $sig = static::urlsafeB64Decode($cryptob64);`
`91`		`-`
	`90`	`+ if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {`
	`91`	`+ throw new UnexpectedValueException('Invalid signature encoding');`
	`92`	`+ }`
`92`	`93`	`if (empty($header->alg)) {`
`93`	`94`	`throw new UnexpectedValueException('Empty algorithm');`
`94`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,13 @@ public function testInvalidSegmentCount()`
`267`	`267`	`JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256'));`
`268`	`268`	`}`
`269`	`269`
	`270`	`+ public function testInvalidSignatureEncoding()`
	`271`	`+ {`
	`272`	`+ $msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx";`
	`273`	`+ $this->setExpectedException('UnexpectedValueException');`
	`274`	`+ JWT::decode($msg, 'secret', array('HS256'));`
	`275`	`+ }`
	`276`	`+`
`270`	`277`	`public function testVerifyError()`
`271`	`278`	`{`
`272`	`279`	`$this->setExpectedException('DomainException');`