[Bug] JsonWebToken.ReadToken doesn't correctly check dot 3 in JWE #2507

pmaytak · 2024-02-28T07:05:01Z

Which version of Microsoft.IdentityModel are you using?
7.4.0

Where is the issue?

M.IM.JsonWebTokens

Actual behavior
This check incorrectly checks if dot 3 is at the last index (in a malformed JWE). The code still works since JWE in a.b.c. format will be caught when dot 4 is checked.

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebToken.cs

Line 466 in fc61f2c

    
           if (Dot3 == encodedTokenSpan.Length) // TODO: Should this be encodedJsonSpan.Length - 1?

The text was updated successfully, but these errors were encountered:

pmaytak added Bug Product is not functioning as expected P3 If we have time in the milestone or it just is easy when addressing a more important issue labels Feb 28, 2024

pmaytak self-assigned this Feb 28, 2024

pmaytak added this to the 7.4.1 milestone Feb 28, 2024

pmaytak mentioned this issue Feb 28, 2024

Add test case. Fix Dot3 in read JWT. #2501

Merged

pmaytak closed this as completed in #2501 Feb 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] JsonWebToken.ReadToken doesn't correctly check dot 3 in JWE #2507

[Bug] JsonWebToken.ReadToken doesn't correctly check dot 3 in JWE #2507

pmaytak commented Feb 28, 2024

[Bug] JsonWebToken.ReadToken doesn't correctly check dot 3 in JWE #2507

[Bug] JsonWebToken.ReadToken doesn't correctly check dot 3 in JWE #2507

Comments

pmaytak commented Feb 28, 2024