util.paseto: Stricter base64 decoding, as per spec

2025-04-04 05:37:39 +03:00 · 2023-01-13 14:35:01 +00:00 · 2023-01-13 14:35:01 +00:00 · f987c4343e
commit f987c4343e
parent 26dc334ae3
1 changed files with 11 additions and 0 deletions
--- a/util/paseto.lua
+++ b/util/paseto.lua
@ -14,7 +14,18 @@ local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] =
 local function b64url(data)
 	return (s_gsub(base64_encode(data), "[+/=]", b64url_rep));
 end
+
+local valid_tails = {
+	nil; -- Always invalid
+	"^.[AQgw]$"; -- b??????00
+	"^..[AQgwEUk0IYo4Mcs8]$"; -- b????0000
+}
+
 local function unb64url(data)
+	local rem = #data%4;
+	if data:sub(-1,-1) == "=" or rem == 1 or (rem > 1 and not data:sub(-rem):match(valid_tails[rem])) then
+		return nil;
+	end
 	return base64_decode(s_gsub(data, "[-_]", b64url_rep).."==");
 end