Skip to content
This repository has been archived by the owner on Apr 7, 2018. It is now read-only.

Commit

Permalink
Fixed security issue: JVN#06120222
Browse files Browse the repository at this point in the history
  • Loading branch information
@F21
F21 committed May 1, 2015
1 parent 632f5fc commit a327cf9
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 6 deletions.
11 changes: 6 additions & 5 deletions JWT/JWT.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ public static function encode($payload, $key, $algo = 'HS256')
return implode('.', $segments);
}

public static function decode($jwt, $key = null, $verify = true)
public static function decode($jwt, $key = null, $algo = null)
{
$tks = explode('.', $jwt);

Expand All @@ -45,20 +45,21 @@ public static function decode($jwt, $key = null, $verify = true)

$sig = JWT::urlsafeB64Decode($cryptob64);

if ($verify) {
if (isset($key)) {

if (empty($header->alg)) {
throw new DomainException('Empty algorithm');
}

if (!JWT::verifySignature($sig, "$headb64.$payloadb64", $key, $header->alg)) {
if (!JWT::verifySignature($sig, "$headb64.$payloadb64", $key, $algo)) {
throw new UnexpectedValueException('Signature verification failed');
}
}

return $payload;
}

private static function verifySignature($signature, $input, $key, $algo = 'HS256')
private static function verifySignature($signature, $input, $key, $algo)
{
switch ($algo) {
case'HS256':
Expand All @@ -80,7 +81,7 @@ private static function verifySignature($signature, $input, $key, $algo = 'HS256
}
}

private static function sign($input, $key, $algo = 'HS256')
private static function sign($input, $key, $algo)
{
switch ($algo) {

Expand Down
12 changes: 11 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
JWT
===

A PHP library for encoding and decoding JSON Web Tokens.

**Important security notice**

Thanks to Toshiharu Sugiyama!

Please upgrade to 2.0 as soon as possible as previous versions are susceptible to verification bypass attacks if the same public key is used for signing when using asymmetric and symmetric algorithms.

This is a release breaks backwards compatibility because you now need to pass in the decoding algorithm when decoding in order to verify the JWT.

For more information see: JVN#06120222 at jpcert.or.jp


Supported Algorithms
--------------------

Expand Down

0 comments on commit a327cf9

Please sign in to comment.