From bb0967cceba9ed0a0ba05ca92929a96f2cd8d822 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylorotwell@gmail.com>
Date: Thu, 16 Feb 2012 14:53:22 -0600
Subject: [PATCH] throw exception if padding is invalid.

---
 laravel/crypter.php | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/laravel/crypter.php b/laravel/crypter.php
index 1bdfedbd..c58c6b3a 100644
--- a/laravel/crypter.php
+++ b/laravel/crypter.php
@@ -131,7 +131,20 @@ class Crypter {
 	{
 		$pad = ord($value[($length = Str::length($value)) - 1]);
 
-		return substr($value, 0, $length - $pad);
+		if ($pad and $pad < static::$block)
+		{
+			// If the correct padding is present on the string, we will remove
+			// it and return the value. Otherwise, we'll throw an exception
+			// as the padding appears to have been changed.
+			if (preg_match('/'.chr($pad).'{'.$pad.'}$/', $value))
+			{
+				return substr($value, 0, $length - $pad);
+			}
+
+			throw new \Exception("Decryption error. Padding is invalid.");
+		}
+
+		return $value;
 	}
 
 	/**