[CODEC-134] Base32 would decode some invalid Base32 encoded string into arbitrary value - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6
Fix Version/s: 1.13
Labels:
- security
Environment:

All

Description

Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".

Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

diff-120305-20.txt
06/Mar/12 04:05
10 kB
Hanson Char

Issue Links

causes

HTTPCLIENT-2150 Update to Apache Commons Codec 1.15

Closed

is related to

WAGON-609 Upgrade transitive Commons Codec to 1.15

Closed

relates to

CODEC-270 Base32 and Base64 still allow decoding some invalid trailing characters

Resolved

CODEC-280 Base32/64 to allow optional strict/lenient decoding

Closed

links to

GitHub Pull Request #19

Activity

People

Assignee:: Gary D. Gregory

Reporter:: Hanson Char

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 03/Mar/12 23:14

Updated:: 10/Apr/21 15:43

Resolved:: 20/May/19 15:40

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10m