From f987c4343e1829d6bd8ac7e5f74f189dc4f66da3 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Fri, 13 Jan 2023 14:35:01 +0000
Subject: util.paseto: Stricter base64 decoding, as per spec

---
 util/paseto.lua | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'util/paseto.lua')

diff --git a/util/paseto.lua b/util/paseto.lua
index 8b564c96..44210b1e 100644
--- a/util/paseto.lua
+++ b/util/paseto.lua
@@ -14,7 +14,18 @@ local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] =
 local function b64url(data)
 	return (s_gsub(base64_encode(data), "[+/=]", b64url_rep));
 end
+
+local valid_tails = {
+	nil; -- Always invalid
+	"^.[AQgw]$"; -- b??????00
+	"^..[AQgwEUk0IYo4Mcs8]$"; -- b????0000
+}
+
 local function unb64url(data)
+	local rem = #data%4;
+	if data:sub(-1,-1) == "=" or rem == 1 or (rem > 1 and not data:sub(-rem):match(valid_tails[rem])) then
+		return nil;
+	end
 	return base64_decode(s_gsub(data, "[-_]", b64url_rep).."==");
 end
 
-- 
cgit v1.2.3