Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Resolved
-
None
-
None
Description
While investigating a bug in our application, I stumbled upon this mail thread:
https://www.mail-archive.com/user@shiro.apache.org/msg05654.html
We have encountered the same issue.
In org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity:
String base64 = getCookie().readValue(request, response); base64 = ensurePadding(base64); byte[] decoded = Base64.decode(base64);
If the cookie value contains characters that are not valid base64, the call to Base64.decode, fails with:
java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30 at org.apache.shiro.codec.Base64.decode(Base64.java:470) at org.apache.shiro.codec.Base64.decode(Base64.java:414)
It can be reproduced like this:
Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
If the same value is passed to guavas base64 encoder, it fails with:
com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -