milczarekIT opened a new pull request #260: URL: https://github.com/apache/httpcomponents-client/pull/260
Fixed information exposure "Base32 would decode some invalid Base32 encoded string into arbitrary value" https://issues.apache.org/jira/browse/CODEC-134 This issue has been fixed in commons-codec 1.13, upgrading to the newest 1.15. Version 5.0.x already have commons-codec 1.15 commons-codec versions [,1.13) are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
