From 1b8e5d0244d04562aaec3a27dff0db77baed7f82 Mon Sep 17 00:00:00 2001
From: Wuriyanto <wuriyanto48@yahoo.co.id>
Date: Mon, 11 May 2020 06:53:14 +0700
Subject: [PATCH] change cjson to cjson.safe and cath error from decode
 function

---
 resources/prosody-plugins/token/util.lib.lua | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/resources/prosody-plugins/token/util.lib.lua b/resources/prosody-plugins/token/util.lib.lua
index c18bdd487..72af078db 100644
--- a/resources/prosody-plugins/token/util.lib.lua
+++ b/resources/prosody-plugins/token/util.lib.lua
@@ -7,7 +7,7 @@ local hex = require "util.hex";
 local jwt = require "luajwtjitsi";
 local http = require "net.http";
 local jid = require "util.jid";
-local json = require "cjson";
+local json_safe = require "cjson.safe";
 local path = require "util.paths";
 local sha256 = require "util.hashes".sha256;
 local timer = require "util.timer";
@@ -255,7 +255,10 @@ function Util:process_and_verify_token(session)
     if self.asapKeyServer and session.auth_token ~= nil then
         local dotFirst = session.auth_token:find("%.");
         if not dotFirst then return nil, "Invalid token" end
-        local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
+        local header, err = json_safe.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));
+        if err then
+            return false, "not-allowed", "bad token format";
+        end
         local kid = header["kid"];
         if kid == nil then
             return false, "not-allowed", "'kid' claim is missing";
@@ -398,4 +401,4 @@ function Util:verify_room(session, room_address)
     end
 end
 
-return Util;
+return Util;
\ No newline at end of file