AC-12485: Improper JWT validation

dvoskoboinikov · dvoskoboinikov · commit 8d2b0c1c6b42 · 2024-07-16T01:29:57.000-05:00
diff --git a/app/code/Magento/JwtUserToken/Model/SecretBasedJwksFactory.php b/app/code/Magento/JwtUserToken/Model/SecretBasedJwksFactory.php
@@ -35,6 +35,7 @@ class SecretBasedJwksFactory
     public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory)
     {
         $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key')));
+        $this->keys = [end($this->keys)];
         //Making sure keys are large enough.
         foreach ($this->keys as &$key) {
             $key = str_pad($key, 2048, '&', STR_PAD_BOTH);

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ class SecretBasedJwksFactory`
`35`	`35`	`public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory)`
`36`	`36`	`{`
`37`	`37`	`$this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key')));`
	`38`	`+ $this->keys = [end($this->keys)];`
`38`	`39`	`//Making sure keys are large enough.`
`39`	`40`	`foreach ($this->keys as &$key) {`
`40`	`41`	`$key = str_pad($key, 2048, '&', STR_PAD_BOTH);`