Uploaded image for project: 'Commons Codec'
  1. Commons Codec
  2. CODEC-134

Base32 would decode some invalid Base32 encoded string into arbitrary value

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.6
    • Fix Version/s: 1.13
    • Labels:
    • Environment:

      All

      Description

      Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".

      Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings).

        Attachments

        1. diff-120305-20.txt
          10 kB
          Hanson Char

          Issue Links

            Activity

              People

              • Assignee:
                ggregory Gary D. Gregory
                Reporter:
                hchar Hanson Char
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m