Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
LemonLDAP NG
lemonldap-ng
Commits
e04a6f19
Commit
e04a6f19
authored
Jul 02, 2019
by
Clément OUDOT
Browse files
Reject none algorithm when checking JWT signature (#1835)
parent
f370255c
Changes
1
Hide whitespace changes
Inline
Side-by-side
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
View file @
e04a6f19
...
...
@@ -19,7 +19,7 @@ use Mouse;
use
Lemonldap::NG::Portal::Main::
Constants
qw(PE_OK PE_REDIRECT)
;
our
$VERSION
=
'
2.0.
5
';
our
$VERSION
=
'
2.0.
6
';
# OpenID Connect standard claims
use
constant
PROFILE
=>
[
...
...
@@ -768,7 +768,9 @@ sub verifyJWTSignature {
.
"
is present but algorithm is 'none'
"
);
return
0
;
}
return
1
;
$self
->
logger
->
debug
(
"
JWT algorithm is 'none', signature cannot be verified
");
return
0
;
}
if
(
$alg
eq
"
HS256
"
or
$alg
eq
"
HS384
"
or
$alg
eq
"
HS512
"
)
{
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment