commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary D. Gregory (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CODEC-134) Base32 would decode some invalid Base32 encoded string into arbitrary value
Date Mon, 05 Mar 2012 21:43:57 GMT

    [ https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13222629#comment-13222629
] 

Gary D. Gregory commented on CODEC-134:
---------------------------------------

Hello Hanson,

Now that I took a closer look at Base64TestData, I can see that CODEC_101_MULTIPLE_OF_3 is
about input length. So fiddling with it should be OK but I do not recommend it because it
is specifically maintained for CODEC-101. Better not to confusing things here IMO.

Can you provide a patch using svn diff please, I cannot apply this patch as-in with Eclipse/SVN.

Thank you,
Gary
                
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
>                 Key: CODEC-134
>                 URL: https://issues.apache.org/jira/browse/CODEC-134
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.6
>         Environment: All
>            Reporter: Hanson Char
>              Labels: security
>         Attachments: diff-120304-22.txt
>
>
> Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===",
but the existing Base32 implementation would not reject it but decode it into an arbitrary
value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg
by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional
information via seemingly valid base 32 strings).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message