Merge pull request firebase#6 from 4026/master

Chris Raynor · Chris Raynor · commit 2f570864b602 · 2014-06-18T10:39:32.000-07:00
Preventing large ints being converted to floats when decoding.
diff --git a/Authentication/JWT.php b/Authentication/JWT.php
@@ -130,7 +130,20 @@ public static function sign($msg, $key, $method = 'HS256')
      */
     public static function jsonDecode($input)
     {
-        $obj = json_decode($input);
+        if (version_compare(PHP_VERSION, '5.4.0', '>=')) {
+            /* In PHP >=5.4.0, json_decode() accepts an options parameter, that allows you to specify that large ints (like Steam
+             * Transaction IDs) should be treated as strings, rather than the PHP default behaviour of converting them to floats.
+             */
+            $obj = json_decode($input, false, 512, JSON_BIGINT_AS_STRING);
+        } else {
+            /* Not all servers will support that, however, so for older versions we must manually detect large ints in the JSON
+             * string and quote them (thus converting them to strings) before decoding, hence the preg_replace() call.
+             */
+            $max_int_length = strlen((string) PHP_INT_MAX) - 1;
+            $json_without_bigints = preg_replace('/:\s*(\d{'.$max_int_length.',})/', ': "$1"', $input);
+            $obj = json_decode($json_without_bigints);
+        }
+
         if (function_exists('json_last_error') && $errno = json_last_error()) {
             JWT::_handleJsonError($errno);
         } else if ($obj === null && $input !== 'null') {
