Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-766

ArrayIndexOutOfBoundsException in Base64#decode

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Resolved
    • None
    • 1.5.4, 1.6.0, 2.0.0-alpha
    • RememberMe
    • None

    Description

      While investigating a bug in our application, I stumbled upon this mail thread:
      https://www.mail-archive.com/user@shiro.apache.org/msg05654.html

      We have encountered the same issue.

      In org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity:

      String base64 = getCookie().readValue(request, response);
      base64 = ensurePadding(base64);
      byte[] decoded = Base64.decode(base64);
      

      If the cookie value contains characters that are not valid base64, the call to Base64.decode, fails with:

      java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
      	at org.apache.shiro.codec.Base64.decode(Base64.java:470)
      	at org.apache.shiro.codec.Base64.decode(Base64.java:414)
      

      It can be reproduced like this:

      Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
      

      If the same value is passed to guavas base64 encoder, it fails with:

      com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            eiden Christoffer Eide
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h
                1h