fix: salt parameter splicing

Author: ovx

src/Altcha.php

@@ -154,7 +154,7 @@ public function verifySolution(string|array $data, bool $checkExpires = true): b
      */
     private function extractParams(Payload $payload): array
     {
-        $saltParts = explode('?', $payload->salt);
+        $saltParts = explode('?', rtrim($payload->salt, ';'));
         if (\count($saltParts) > 1) {
             parse_str($saltParts[1], $params);
 

src/BaseChallengeOptions.php

@@ -38,6 +38,11 @@ public function __construct(
             $salt .= '?' . http_build_query($params);
         }
 
+        // Add a delimiter to prevent parameter splicing
+        if (!str_ends_with($salt, ';')) {
+            $salt = $salt . ';';
+        }
+
         $this->salt = $salt;
     }
 }

tests/AltchaTest.php

@@ -98,6 +98,30 @@ public function testVerifySolution(): void
         self::assertTrue($isValid);
     }
 
+    public function testVerifySolutionSaltSplicing(): void
+    {
+        $challenge = self::$altcha->createChallenge(new BaseChallengeOptions(
+            algorithm: Algorithm::SHA256,
+            maxNumber: 50000,
+            number: 123,
+            expires: (new \DateTimeImmutable())->add(new \DateInterval('PT10S')),
+            params: [],
+            salt: bin2hex(random_bytes(12)),
+        ));
+
+        $payload = [
+            'algorithm' => $challenge->algorithm,
+            'challenge' => $challenge->challenge,
+            'salt' => $challenge->salt . "1",
+            'signature' => $challenge->signature,
+            'number' => 23,
+        ];
+
+        $isValid = self::$altcha->verifySolution(base64_encode(json_encode($payload) ?: ''));
+
+        self::assertFalse($isValid);
+    }
+
     public function testVerifyServerSignature(): void
     {
         $algorithm = Algorithm::SHA256;