fix panic in auth token validationHEAD master

author: metamuffin <metamuffin@disroot.org> 2026-03-23 15:36:21 +0100
committer: metamuffin <metamuffin@disroot.org> 2026-03-23 15:36:21 +0100
commit: c9101af2bd50dcbbfe2883e5c48e1e032d90b21f (patch)
tree: b30d71f0e7e341cb5f7487109f2813ca4ab65190
parent: 7d15aec5be589b2d53c89a427a9c99dec2dea1ff (diff)
download: jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar
jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar.bz2
jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar.zst
1 files changed, 3 insertions, 0 deletions
diff --git a/server/src/auth.rs b/server/src/auth.rs
index 69d68d0..d5ca54c 100644
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@@ -130,6 +130,9 @@ pub mod token {
     }
     pub fn validate(sk: &SessionKey, token: &str) -> Result<RowNum> {
         let cipher = URL_SAFE.decode(token)?;
+        if cipher.len() < 12 {
+            bail!("token format invalid")
+        }
         let (cipher, nonce) = cipher.split_at(cipher.len() - 12);
         let plain =
             sk.0.decrypt(nonce.into(), cipher)
author	metamuffin <metamuffin@disroot.org>	2026-03-23 15:36:21 +0100
committer	metamuffin <metamuffin@disroot.org>	2026-03-23 15:36:21 +0100
commit	c9101af2bd50dcbbfe2883e5c48e1e032d90b21f (patch)
tree	b30d71f0e7e341cb5f7487109f2813ca4ab65190
parent	7d15aec5be589b2d53c89a427a9c99dec2dea1ff (diff)
download	jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar.bz2 jellything-c9101af2bd50dcbbfe2883e5c48e1e032d90b21f.tar.zst