Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: golang-jwt/jwt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.4.3
Choose a base ref
...
head repository: golang-jwt/jwt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.5.0
Choose a head ref
  • 2 commits
  • 3 files changed
  • 2 contributors

Commits on Nov 29, 2022

  1. Using tparse for nicer CI test display (#251)

    @oxisto
    oxisto authored Nov 29, 2022
    Configuration menu
    Copy the full SHA
    2f0984a View commit details
    Browse the repository at this point in the history

Commits on Dec 9, 2022

  1. Allow strict base64 decoding (#259) 

    By default base64 decoder works in non-strict mode which
allows tweaking signatures having padding without failing validation.

This creates a potential problem if application treats token value as an identifier.

For example ES256 signature has length of 64 bytes and two padding symbols (stripped by default).
Therefore its base64-encoded value can only end with A, Q, g and w.
In non-strict mode last symbol could be tweaked resulting in 16 distinct
token values having the same signature and passing validation.

This change adds backward-compatible global config variable DecodeStrict
(similar to existing DecodePaddingAllowed) that enables strict base64 decoder mode.

See also golang/go#15656.

Signed-off-by: Alexander Yastrebov <[email protected]>
    @AlexanderYastrebov
    AlexanderYastrebov authored Dec 9, 2022
    Configuration menu
    Copy the full SHA
    9358574 View commit details
    Browse the repository at this point in the history
Loading