admin console: log when JWTAuth::verify() doesn't have enough tokens
This is no longer a huge problem, but it's still a good idea to return early in that case. Found with the recently added admin_fuzzer, when I locally disabled the StringVector safety checks for test purposes. (If you view the diff with -U30, then you see that we access tokens[2] later, so if size is < 3, we should give up.) Change-Id: I46fc531fb042cc1485a17a9e994ad37e9ff0cd80 Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91587 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com> Reviewed-by: Miklos Vajna <vmiklos@collabora.com>distro/collabora/co-4-2-2
parent
4bdd0497ed
commit
fc88a872c2
Binary file not shown.
|
@ -0,0 +1 @@
|
|||
auth jwt=eyJakilliwiZXhwIjoiMTU4NTU3O3hbGciOiJUzI1NiIsInR5MJ0.DM1NeyJpc3MiOiJiJ9
|
|
@ -105,6 +105,12 @@ bool JWTAuth::verify(const std::string& accessToken)
|
|||
|
||||
try
|
||||
{
|
||||
if (tokens.size() < 3)
|
||||
{
|
||||
LOG_INF("JWTAuth: verification failed; Not enough tokens");
|
||||
return false;
|
||||
}
|
||||
|
||||
const std::string encodedBody = tokens[0] + '.' + tokens[1];
|
||||
_digestEngine.update(encodedBody.c_str(), static_cast<unsigned>(encodedBody.length()));
|
||||
Poco::Crypto::DigestEngine::Digest digest = _digestEngine.signature();
|
||||
|
|
Loading…
Reference in New Issue