Skip to content

Commit

Permalink
Fixes #949
Browse files Browse the repository at this point in the history
  • Loading branch information
@lhazlewood
lhazlewood committed Jun 16, 2024
1 parent 7543248 commit df14b55
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 33 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## Release Notes

### 0.12.6

* Fixed GZIPInputStream memory leak surfaced in the 0.12.0 release. See [Issue 949](https://github.com/jwtk/jjwt/issues/949).

### 0.12.5

This patch release:
Expand Down
71 changes: 38 additions & 33 deletions impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -595,43 +595,48 @@ private void verifySignature(final TokenizedJwt tokenized, final JwsHeader jwsHe
Claims claims = null;
byte[] payloadBytes = payload.getBytes();
if (payload.isConsumable()) {

InputStream in = payload.toInputStream();

if (!hasContentType(header)) { // If there is a content type set, then the application using JJWT is expected
// to convert the byte payload themselves based on this content type
// https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 :
//
// "This parameter is ignored by JWS implementations; any processing of this
// parameter is performed by the JWS application."
//
Map<String, ?> claimsMap = null;
try {
// if deserialization fails, we'll need to rewind to convert to a byte array. So if
// mark/reset isn't possible, we'll need to buffer:
if (!in.markSupported()) {
in = new BufferedInputStream(in);
in.mark(0);
}
claimsMap = deserialize(new UncloseableInputStream(in) /* Don't close in case we need to rewind */, "claims");
} catch (DeserializationException | MalformedJwtException ignored) { // not JSON, treat it as a byte[]
InputStream in = null;
try {
in = payload.toInputStream();

if (!hasContentType(header)) { // If there is a content type set, then the application using JJWT is expected
// to convert the byte payload themselves based on this content type
// https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 :
//
// "This parameter is ignored by JWS implementations; any processing of this
// parameter is performed by the JWS application."
//
Map<String, ?> claimsMap = null;
try {
// if deserialization fails, we'll need to rewind to convert to a byte array. So if
// mark/reset isn't possible, we'll need to buffer:
if (!in.markSupported()) {
in = new BufferedInputStream(in);
in.mark(0);
}
claimsMap = deserialize(new UncloseableInputStream(in) /* Don't close in case we need to rewind */, "claims");
} catch (DeserializationException |
MalformedJwtException ignored) { // not JSON, treat it as a byte[]
// String msg = "Invalid claims: " + e.getMessage();
// throw new MalformedJwtException(msg, e);
} finally {
Streams.reset(in);
}
if (claimsMap != null) {
try {
claims = new DefaultClaims(claimsMap);
} catch (Throwable t) {
String msg = "Invalid claims: " + t.getMessage();
throw new MalformedJwtException(msg);
} finally {
Streams.reset(in);
}
if (claimsMap != null) {
try {
claims = new DefaultClaims(claimsMap);
} catch (Throwable t) {
String msg = "Invalid claims: " + t.getMessage();
throw new MalformedJwtException(msg);
}
}
}
}
if (claims == null) {
// consumable, but not claims, so convert to byte array:
payloadBytes = Streams.bytes(in, "Unable to convert payload to byte array.");
if (claims == null) {
// consumable, but not claims, so convert to byte array:
payloadBytes = Streams.bytes(in, "Unable to convert payload to byte array.");
}
} finally {
Objects.nullSafeClose(in);
}
}

Expand Down

0 comments on commit df14b55

Please sign in to comment.