diff --git a/src/JWT.php b/src/JWT.php index e9d75639..9189d694 100644 --- a/src/JWT.php +++ b/src/JWT.php @@ -109,14 +109,22 @@ public static function decode( throw new UnexpectedValueException('Wrong number of segments'); } list($headb64, $bodyb64, $cryptob64) = $tks; - $headerRaw = static::urlsafeB64Decode($headb64); + try { + $headerRaw = static::urlsafeB64Decode($headb64); + } catch (InvalidArgumentException $e) { + throw new UnexpectedValueException('Unable to decode header'); + } if (null === ($header = static::jsonDecode($headerRaw))) { throw new UnexpectedValueException('Invalid header encoding'); } if ($headers !== null) { $headers = $header; } - $payloadRaw = static::urlsafeB64Decode($bodyb64); + try { + $payloadRaw = static::urlsafeB64Decode($bodyb64); + } catch (InvalidArgumentException $e) { + throw new UnexpectedValueException('Unable to decode payload'); + } if (null === ($payload = static::jsonDecode($payloadRaw))) { throw new UnexpectedValueException('Invalid claims encoding'); } @@ -127,7 +135,11 @@ public static function decode( if (!$payload instanceof stdClass) { throw new UnexpectedValueException('Payload must be a JSON object'); } - $sig = static::urlsafeB64Decode($cryptob64); + try { + $sig = static::urlsafeB64Decode($cryptob64); + } catch (InvalidArgumentException $e) { + throw new UnexpectedValueException('Unable to decode signature'); + } if (empty($header->alg)) { throw new UnexpectedValueException('Empty algorithm'); } @@ -415,7 +427,11 @@ public static function jsonEncode(array $input): string */ public static function urlsafeB64Decode(string $input): string { - return \base64_decode(self::convertBase64UrlToBase64($input)); + $result = \base64_decode(self::convertBase64UrlToBase64($input), true); + if ($result === false) { + throw new InvalidArgumentException('Input is not valid Base64URL'); + } + return $result; } /**