Changeset

12838:2e71b76ac299

util.paseto: Stricter base64 decoding, as per spec
author Matthew Wild <mwild1@gmail.com>
date Fri, 13 Jan 2023 14:35:01 +0000
parents 12837:d3ae47d8a7a7
children 12839:7db1c1da7bfd
files util/paseto.lua
diffstat 1 files changed, 11 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/util/paseto.lua	Fri Jan 13 14:34:10 2023 +0000
+++ b/util/paseto.lua	Fri Jan 13 14:35:01 2023 +0000
@@ -14,7 +14,18 @@
 local function b64url(data)
 	return (s_gsub(base64_encode(data), "[+/=]", b64url_rep));
 end
+
+local valid_tails = {
+	nil; -- Always invalid
+	"^.[AQgw]$"; -- b??????00
+	"^..[AQgwEUk0IYo4Mcs8]$"; -- b????0000
+}
+
 local function unb64url(data)
+	local rem = #data%4;
+	if data:sub(-1,-1) == "=" or rem == 1 or (rem > 1 and not data:sub(-rem):match(valid_tails[rem])) then
+		return nil;
+	end
 	return base64_decode(s_gsub(data, "[-_]", b64url_rep).."==");
 end