Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 610939C51 for ; Tue, 6 Mar 2012 04:07:48 +0000 (UTC) Received: (qmail 8015 invoked by uid 500); 6 Mar 2012 04:07:47 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 7906 invoked by uid 500); 6 Mar 2012 04:07:46 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 7888 invoked by uid 99); 6 Mar 2012 04:07:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2012 04:07:45 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Mar 2012 04:07:44 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id A1CEDABC6 for ; Tue, 6 Mar 2012 04:07:24 +0000 (UTC) Date: Tue, 6 Mar 2012 04:07:24 +0000 (UTC) From: "Hanson Char (Updated) (JIRA)" To: issues@commons.apache.org Message-ID: <1076656286.25982.1331006844693.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <2102301202.18802.1330816556933.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Updated] (CODEC-134) Base32 would decode some invalid Base32 encoded string into arbitrary value MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hanson Char updated CODEC-134: ------------------------------ Attachment: (was: diff-120304-22.txt) > Base32 would decode some invalid Base32 encoded string into arbitrary value > --------------------------------------------------------------------------- > > Key: CODEC-134 > URL: https://issues.apache.org/jira/browse/CODEC-134 > Project: Commons Codec > Issue Type: Bug > Affects Versions: 1.6 > Environment: All > Reporter: Hanson Char > Labels: security > Attachments: diff-120305-20.txt > > > Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===". > Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira