third_codes/oauth2
1
0
Fork 0
mirror of https://github.com/golang/oauth2.git synced 2025-07-21 00:00:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

jws: split token into fixed number of parts

Browse Source 
Thanks to 'jub0bs' for reporting this issue.

Fixes #71490
Fixes CVE-2025-22868

Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Neal Patel 2025-01-30 14:10:09 -05:00 committed by Gopher Robot
parent 3f78298bee
commit 681b4d8edc
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jws/jws.go
View File

@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
// Verify tests whether the provided JWT token's signature was produced by the private key // Verify tests whether the provided JWT token's signature was produced by the private key
// associated with the supplied public key. // associated with the supplied public key.
func Verify(token string, key *rsa.PublicKey) error { func Verify(token string, key *rsa.PublicKey) error {
parts := strings.Split(token, ".") if strings.Count(token, ".") != 2 {
if len(parts) != 3 {
return errors.New("jws: invalid token received, token must have 3 parts") return errors.New("jws: invalid token received, token must have 3 parts")
} }
parts := strings.SplitN(token, ".", 3)
signedContent := parts[0] + "." + parts[1] signedContent := parts[0] + "." + parts[1]
signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil { if err != nil {