diff --git a/src/JWT.php b/src/JWT.php index 1c71ab3d..f03972f7 100644 --- a/src/JWT.php +++ b/src/JWT.php @@ -107,7 +107,7 @@ public static function decode( if (empty($keyOrKeyArray)) { throw new InvalidArgumentException('Key may not be empty'); } - $tks = \explode('.', $jwt); + $tks = \explode('.', $jwt, 4); if (\count($tks) !== 3) { throw new UnexpectedValueException('Wrong number of segments'); } diff --git a/tests/JWTTest.php b/tests/JWTTest.php index 40f45149..d7fe5309 100644 --- a/tests/JWTTest.php +++ b/tests/JWTTest.php @@ -323,6 +323,21 @@ public function testInvalidToken() JWT::decode($encoded, $decodeKey); } + public function testInvalidTokenSegments() + { + $dummyToken = 'dGhlIHZhbHVlIGRvZXNuJ3QgbWF0dGVy.T25seSB0aGUgbnVtYmVyIG9mIHNlZ21lbnRz.VGhpcyBzaG91bGQgYmUgYSBzaWduYXR1cmU.YnV0IHRoZXJlIGlzIG1vcmU'; + $this->expectException(UnexpectedValueException::class); + JWT::decode($dummyToken, $this->hmacKey); + } + + public function testInvalidTokenManySegments() + { + $dummyToken = 'dGhlIHZhbHVlIGRvZXNuJ3QgbWF0dGVy.T25seSB0aGUgbnVtYmVyIG9mIHNlZ21lbnRz.VGhpcyBzaG91bGQgYmUgYSBzaWduYXR1cmU'; + $dummyToken .= str_repeat('.KzE', 999999); + $this->expectException(UnexpectedValueException::class); + JWT::decode($dummyToken, $this->hmacKey); + } + public function testNullKeyFails() { $payload = [