Skip to content

Commit

Permalink
jws: split token into fixed number of parts
Browse files Browse the repository at this point in the history 
Thanks to 'jub0bs' for reporting this issue.

Fixes #71490
Fixes CVE-2025-22868

Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
  • Loading branch information
@thatnealpatel @gopherbot
thatnealpatel authored and gopherbot committed Feb 24, 2025
1 parent 3f78298 commit 681b4d8
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions jws/jws.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) {
// Verify tests whether the provided JWT token's signature was produced by the private key
// associated with the supplied public key.
func Verify(token string, key *rsa.PublicKey) error {
parts := strings.Split(token, ".")
if len(parts) != 3 {
if strings.Count(token, ".") != 2 {
return errors.New("jws: invalid token received, token must have 3 parts")
}

parts := strings.SplitN(token, ".", 3)
signedContent := parts[0] + "." + parts[1]
signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
Expand Down

0 comments on commit 681b4d8

Please sign in to comment.