Reject none algorithm when checking JWT signature (#1835)

e04a6f19 · Clément OUDOT · f370255c · e04a6f19
Commit e04a6f19 authored Jul 02, 2019 by Clément OUDOT
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm ...ap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +4 -2

No files found.
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -19,7 +19,7 @@ use Mouse;

 use Lemonldap::NG::Portal::Main::Constants qw(PE_OK PE_REDIRECT);

-our $VERSION = '2.0.5';
+our $VERSION = '2.0.6';

 # OpenID Connect standard claims
 use constant PROFILE => [
@@ -768,7 +768,9 @@ sub verifyJWTSignature {
                  . " is present but algorithm is 'none'" );
            return 0;
        }
-        return 1;
+        $self->logger->debug(
+            "JWT algorithm is 'none', signature cannot be verified");
+        return 0;
    }

    if ( $alg eq "HS256" or $alg eq "HS384" or $alg eq "HS512" ) {