|
| 1 | +From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 |
| 2 | +From: Neal Patel <nealpatel@google.com> |
| 3 | +Date: Thu, 30 Jan 2025 14:10:09 -0500 |
| 4 | +Subject: [PATCH] jws: split token into fixed number of parts |
| 5 | + |
| 6 | +Thanks to 'jub0bs' for reporting this issue. |
| 7 | + |
| 8 | +Fixes #71490 |
| 9 | +Fixes CVE-2025-22868 |
| 10 | + |
| 11 | +Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 |
| 12 | +Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 |
| 13 | +Auto-Submit: Gopher Robot <gobot@golang.org> |
| 14 | +Reviewed-by: Damien Neil <dneil@google.com> |
| 15 | +Reviewed-by: Roland Shoemaker <roland@golang.org> |
| 16 | +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> |
| 17 | +--- |
| 18 | + vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- |
| 19 | + 1 file changed, 2 insertions(+), 2 deletions(-) |
| 20 | + |
| 21 | +diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go |
| 22 | +index 95015648b..6f03a49d3 100644 |
| 23 | +--- a/vendor/golang.org/x/oauth2/jws/jws.go |
| 24 | ++++ b/vendor/golang.org/x/oauth2/jws/jws.go |
| 25 | +@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { |
| 26 | + // Verify tests whether the provided JWT token's signature was produced by the private key |
| 27 | + // associated with the supplied public key. |
| 28 | + func Verify(token string, key *rsa.PublicKey) error { |
| 29 | +- parts := strings.Split(token, ".") |
| 30 | +- if len(parts) != 3 { |
| 31 | ++ if strings.Count(token, ".") != 2 { |
| 32 | + return errors.New("jws: invalid token received, token must have 3 parts") |
| 33 | + } |
| 34 | + |
| 35 | ++ parts := strings.SplitN(token, ".", 3) |
| 36 | + signedContent := parts[0] + "." + parts[1] |
| 37 | + signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) |
| 38 | + if err != nil { |
0 commit comments