Skip to content

Commit

Permalink
Do not allow base64url padding
Browse files Browse the repository at this point in the history
  • Loading branch information
paragonie-security committed Jun 10, 2022
1 parent e5991dd commit f16f865
Show file tree
Hide file tree
Showing 8 changed files with 15 additions and 19 deletions.
2 changes: 1 addition & 1 deletion composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
"ext-json": "*",
"ext-openssl": "*",
"php": "^8.1",
"paragonie/constant_time_encoding": "^2",
"paragonie/constant_time_encoding": ">= 2.6",
"paragonie/corner": "^2",
"paragonie/easy-ecc": "^1",
"paragonie/sodium_compat": "^1.17"
Expand Down
2 changes: 1 addition & 1 deletion src/Keys/AsymmetricSecretKey.php
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ public function encodePem(): string
*/
public static function fromEncodedString(string $encoded, ProtocolInterface $version = null): self
{
$decoded = Base64UrlSafe::decode($encoded);
$decoded = Base64UrlSafe::decodeNoPadding($encoded);
return new self($decoded, $version);
}

Expand Down
2 changes: 1 addition & 1 deletion src/Keys/SymmetricKey.php
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ public function encode(): string
*/
public static function fromEncodedString(string $encoded, ProtocolInterface $version = null): self
{
$decoded = Base64UrlSafe::decode($encoded);
$decoded = Base64UrlSafe::decodeNoPadding($encoded);
return new self($decoded, $version);
}

Expand Down
4 changes: 2 additions & 2 deletions src/Parsing/PasetoMessage.php
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,8 @@ public static function fromString(string $tainted): self
}

$header = new Header($pieces[0], $pieces[1]);
$payload = Base64UrlSafe::decode($pieces[2]);
$footer = $count > 3 ? Base64UrlSafe::decode($pieces[3]) : '';
$payload = Base64UrlSafe::decodeNoPadding($pieces[2]);
$footer = $count > 3 ? Base64UrlSafe::decodeNoPadding($pieces[3]) : '';

return new self($header, $payload, $footer);
}
Expand Down
10 changes: 4 additions & 6 deletions src/Protocol/Version3.php
Original file line number Diff line number Diff line change
Expand Up @@ -354,9 +354,8 @@ public static function verify(
}

// PASETO Version 3 - Verify - Step 4:
$decoded = Base64UrlSafe::decode(
Binary::safeSubstr($signMsg, $headerLength),
true
$decoded = Base64UrlSafe::decodeNoPadding(
Binary::safeSubstr($signMsg, $headerLength)
);
$len = Binary::safeStrlen($decoded);

Expand Down Expand Up @@ -497,9 +496,8 @@ public static function aeadDecrypt(

// PASETO Version 3 - Decrypt - Step 4:
try {
$decoded = Base64UrlSafe::decode(
Binary::safeSubstr($message, $expectedLen),
true
$decoded = Base64UrlSafe::decodeNoPadding(
Binary::safeSubstr($message, $expectedLen)
);
} catch (Throwable $ex) {
throw new PasetoException(
Expand Down
10 changes: 4 additions & 6 deletions src/Protocol/Version4.php
Original file line number Diff line number Diff line change
Expand Up @@ -326,9 +326,8 @@ public static function verify(
}

// PASETO Version 4 - Verify - Step 4:
$decoded = Base64UrlSafe::decode(
Binary::safeSubstr($signMsg, $headerLength),
true
$decoded = Base64UrlSafe::decodeNoPadding(
Binary::safeSubstr($signMsg, $headerLength)
);
$len = Binary::safeStrlen($decoded);

Expand Down Expand Up @@ -464,9 +463,8 @@ public static function aeadDecrypt(

// PASETO Version 4 - Decrypt - Step 4:
try {
$decoded = Base64UrlSafe::decode(
Binary::safeSubstr($message, $expectedLen),
true
$decoded = Base64UrlSafe::decodeNoPadding(
Binary::safeSubstr($message, $expectedLen)
);
} catch (Throwable $ex) {
throw new PasetoException(
Expand Down
2 changes: 1 addition & 1 deletion src/Util.php
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ public static function extractFooter(string $payload): string
{
$pieces = explode('.', $payload);
if (count($pieces) > 3) {
return Base64UrlSafe::decode(array_pop($pieces));
return Base64UrlSafe::decodeNoPadding(array_pop($pieces));
}
return '';
}
Expand Down
2 changes: 1 addition & 1 deletion tests/KnownAnswerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ protected function genericTests(ProtocolInterface $protocol, array $tests): void
}

// If we're here, the first step did not fail, so let's assert this:
$this->assertFalse($test['expect-fail'], 'This test was expected to fail');
$this->assertFalse($test['expect-fail'], 'This test was expected to fail: ' . $test['name']);

// We should have the same plaintext payload:
$this->assertSame($test['payload'], $decoded, $test['name']);
Expand Down

0 comments on commit f16f865

Please sign in to comment.