Description
Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings).
Attachments
Attachments
Issue Links
- causes
-
HTTPCLIENT-2150 Update to Apache Commons Codec 1.15
- Closed
- is related to
-
WAGON-609 Upgrade transitive Commons Codec to 1.15
- Closed
- relates to
-
CODEC-270 Base32 and Base64 still allow decoding some invalid trailing characters
- Resolved
-
CODEC-280 Base32/64 to allow optional strict/lenient decoding
- Closed
- links to