Detect invalid Base64 encoding in signature

psignoret · psignoret · commit 8b124452921c · 2016-07-26T09:48:05.000+02:00
diff --git a/src/JWT.php b/src/JWT.php
@@ -85,8 +85,10 @@ public static function decode($jwt, $key, $allowed_algs = array())
         if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
-        $sig = static::urlsafeB64Decode($cryptob64);
-        
+        if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
+            throw new UnexpectedValueException('Invalid signature encoding');
+        }
+
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
         }

Original file line number	Diff line number	Diff line change
`@@ -85,8 +85,10 @@ public static function decode($jwt, $key, $allowed_algs = array())`
`85`	`85`	`if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {`
`86`	`86`	`throw new UnexpectedValueException('Invalid claims encoding');`
`87`	`87`	`}`
`88`		`- $sig = static::urlsafeB64Decode($cryptob64);`
`89`		`-`
	`88`	`+ if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {`
	`89`	`+ throw new UnexpectedValueException('Invalid signature encoding');`
	`90`	`+ }`
	`91`	`+`
`90`	`92`	`if (empty($header->alg)) {`
`91`	`93`	`throw new UnexpectedValueException('Empty algorithm');`
`92`	`94`	`}`