[SHIRO-766] ArrayIndexOutOfBoundsException in Base64#decode - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Resolved
Affects Version/s: None
Fix Version/s: 1.5.4, 1.6.0, 2.0.0-alpha
Component/s: RememberMe
Labels:
None

Description

While investigating a bug in our application, I stumbled upon this mail thread:
https://www.mail-archive.com/user@shiro.apache.org/msg05654.html

We have encountered the same issue.

In org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity:

String base64 = getCookie().readValue(request, response);
base64 = ensurePadding(base64);
byte[] decoded = Base64.decode(base64);

If the cookie value contains characters that are not valid base64, the call to Base64.decode, fails with:

java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
	at org.apache.shiro.codec.Base64.decode(Base64.java:470)
	at org.apache.shiro.codec.Base64.decode(Base64.java:414)

It can be reproduced like this:

Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))

If the same value is passed to guavas base64 encoder, it fails with:

com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Christoffer Eide

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/May/20 08:42

Updated:: 12/Aug/20 06:04

Resolved:: 05/May/20 15:05

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: