With the Cookie serialization vulnerability changes in 5.6.30, cookies are not serialized by default anymore.
When Tymon\JWTAuth\Http\Parser/\Cookies->decrypt() is called, it calls Laravel's Crypt::decrypt() which has a default parameter of $unserialize = true. Currently tymon/jwt-auth doesn't validate if the cookie value might indeed be non-serialized.
Your environment
Q
A
Bug?
yes
New Feature?
no
Framework
Laravel
Framework version
5.7.8
Package version
1.0.0-rc.3
PHP version
7.2.7
Steps to reproduce
Create a new Laravel application with version 5.6.30 or newer.
Install tymon/jwt-auth 1.0.0-rc.3
Implement the simplest JWT auth implementation e.g. login view for creating token and admin view for consuming the token.
Make sure EncryptCookies middleware is enabled and in config/jwt.php that decrypt_cookies => true
call auth()->user() to get the current logged in User.
Expected behaviour
I am able to get the token and the user associated with it.
Actual behaviour
unserialize() error is thrown.
Workaround
Current workaround I've found is to enforce cookie serialization through EncryptCookies middleware by setting protected static $serialize = true;.
This however will expose the application to the mentioned vulnerability if the app_key were to be compromised.
Subject of the issue
With the Cookie serialization vulnerability changes in 5.6.30, cookies are not serialized by default anymore.
When
Tymon\JWTAuth\Http\Parser/\Cookies->decrypt()
is called, it calls Laravel'sCrypt::decrypt()
which has a default parameter of$unserialize = true
. Currently tymon/jwt-auth doesn't validate if the cookie value might indeed be non-serialized.Your environment
Steps to reproduce
EncryptCookies
middleware is enabled and inconfig/jwt.php
thatdecrypt_cookies => true
auth()->user()
to get the current logged in User.Expected behaviour
I am able to get the token and the user associated with it.
Actual behaviour
unserialize() error is thrown.
Workaround
Current workaround I've found is to enforce cookie serialization through
EncryptCookies
middleware by settingprotected static $serialize = true;
.This however will expose the application to the mentioned vulnerability if the app_key were to be compromised.
Stack Trace