From 1513a0e092b986a004c5eb76be45b5ce3527022b Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Wed, 13 May 2020 12:36:14 +0100
Subject: [PATCH 1/2] VerifyLoginTask: beware wrong number of parts when
 splitting JWT

---
 src/pocketmine/network/mcpe/VerifyLoginTask.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/pocketmine/network/mcpe/VerifyLoginTask.php b/src/pocketmine/network/mcpe/VerifyLoginTask.php
index db3d86d28..88e6507f8 100644
--- a/src/pocketmine/network/mcpe/VerifyLoginTask.php
+++ b/src/pocketmine/network/mcpe/VerifyLoginTask.php
@@ -30,6 +30,7 @@ use pocketmine\Server;
 use function assert;
 use function base64_decode;
 use function chr;
+use function count;
 use function explode;
 use function json_decode;
 use function ltrim;
@@ -94,7 +95,11 @@ class VerifyLoginTask extends AsyncTask{
 	 * @throws VerifyLoginException if errors are encountered
 	 */
 	private function validateToken(string $jwt, ?string &$currentPublicKey, bool $first = false) : void{
-		[$headB64, $payloadB64, $sigB64] = explode('.', $jwt);
+		$rawParts = explode('.', $jwt);
+		if(count($rawParts) !== 3){
+			throw new VerifyLoginException("Wrong number of JWT parts, expected 3, got " . count($rawParts));
+		}
+		[$headB64, $payloadB64, $sigB64] = $rawParts;
 
 		$headers = json_decode(base64_decode(strtr($headB64, '-_', '+/'), true), true);
 

From bd1d7b8d75976966c5480b18b91e9d8ff176612e Mon Sep 17 00:00:00 2001
From: "Dylan K. Taylor" <odigiman@gmail.com>
Date: Wed, 13 May 2020 12:39:05 +0100
Subject: [PATCH 2/2] asserts :clap: are :clap: not :clap: error :clap:
 checking

---
 src/pocketmine/network/mcpe/VerifyLoginTask.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/pocketmine/network/mcpe/VerifyLoginTask.php b/src/pocketmine/network/mcpe/VerifyLoginTask.php
index 88e6507f8..f4967ef63 100644
--- a/src/pocketmine/network/mcpe/VerifyLoginTask.php
+++ b/src/pocketmine/network/mcpe/VerifyLoginTask.php
@@ -27,7 +27,6 @@ use pocketmine\network\mcpe\protocol\LoginPacket;
 use pocketmine\Player;
 use pocketmine\scheduler\AsyncTask;
 use pocketmine\Server;
-use function assert;
 use function base64_decode;
 use function chr;
 use function count;
@@ -116,7 +115,9 @@ class VerifyLoginTask extends AsyncTask{
 
 		//OpenSSL wants a DER-encoded signature, so we extract R and S from the plain signature and crudely serialize it.
 
-		assert(strlen($plainSignature) === 96);
+		if(strlen($plainSignature) !== 96){
+			throw new VerifyLoginException("Wrong signature length, expected 96, got " . strlen($plainSignature));
+		}
 
 		[$rString, $sString] = str_split($plainSignature, 48);