jws: split token into fixed number of parts Thanks to 'jub0bs' for reporting this issue. Fixes #71490 Fixes CVE-2025-22868 Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

commit: 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 [log] [tgz]
author: Neal Patel <nealpatel@google.com> Thu Jan 30 19:10:09 2025
committer: Gopher Robot <gobot@golang.org> Mon Feb 24 17:56:26 2025
tree: ae237821b1695d6571a88ac74bbe7249c66e8874
parent: 3f78298beea38fb76a3fbca33e3056f4b7eb5502 [diff]
diff --git a/jws/jws.go b/jws/jws.go
index 9501564..6f03a49 100644
--- a/jws/jws.go
+++ b/jws/jws.go

@@ -165,11 +165,11 @@
 // Verify tests whether the provided JWT token's signature was produced by the private key
 // associated with the supplied public key.
 func Verify(token string, key *rsa.PublicKey) error {
-	parts := strings.Split(token, ".")
-	if len(parts) != 3 {
+	if strings.Count(token, ".") != 2 {
 		return errors.New("jws: invalid token received, token must have 3 parts")
 	}
 
+	parts := strings.SplitN(token, ".", 3)
 	signedContent := parts[0] + "." + parts[1]
 	signatureString, err := base64.RawURLEncoding.DecodeString(parts[2])
 	if err != nil {
commit	681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3	[log] [tgz]
author	Neal Patel <nealpatel@google.com>	Thu Jan 30 19:10:09 2025
committer	Gopher Robot <gobot@golang.org>	Mon Feb 24 17:56:26 2025
tree	ae237821b1695d6571a88ac74bbe7249c66e8874
parent	3f78298beea38fb76a3fbca33e3056f4b7eb5502 [diff]