From 930d739dddeac78c1d5dd593de0bf3e1befdab8a Mon Sep 17 00:00:00 2001
From: Andrea <boscoandrea@gmail.com>
Date: Wed, 11 May 2016 21:49:22 +0200
Subject: [PATCH 1/2] Update decode method to fix algo vulnerability

See: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
---
 lib/JWT/Authentication/JWT.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/JWT/Authentication/JWT.php b/lib/JWT/Authentication/JWT.php
index a5023b0d..c79f8733 100644
--- a/lib/JWT/Authentication/JWT.php
+++ b/lib/JWT/Authentication/JWT.php
@@ -32,7 +32,7 @@ class JWT
      * @uses jsonDecode
      * @uses urlsafeB64Decode
      */
-    public static function decode($jwt, $key = null, $verify = true)
+    public static function decode($jwt, $key = null, $algo = null, $verify = true)
     {
         $tks = explode('.', $jwt);
         if (count($tks) != 3) {
@@ -50,6 +50,9 @@ public static function decode($jwt, $key = null, $verify = true)
             if (empty($header->alg)) {
                 throw new \DomainException('Empty algorithm');
             }
+            if($algo && $header->alg !== $algo){
+                throw new \DomainException('Invalid algorithm');
+            }
             if ($sig != JWT::sign("$headb64.$bodyb64", $key, $header->alg)) {
                 throw new \UnexpectedValueException('Signature verification failed');
             }

From 3a849e032d713fabefc51ac200935de309f264f7 Mon Sep 17 00:00:00 2001
From: Andrea <boscoandrea@gmail.com>
Date: Wed, 11 May 2016 21:51:08 +0200
Subject: [PATCH 2/2] Add algo parameter to decode example

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3eb7e96e..83ab34e7 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ $token = array(
 );
 
 $jwt = JWT::encode($token, $key);
-$decoded = JWT::decode($jwt, $key);
+$decoded = JWT::decode($jwt, $key, 'HS256');
 
 print_r($decoded);
 ?>