[jira] [Commented] (CODEC-134) Base32 would decode some invalid Base32 encoded string into arbitrary value

Sun, 04 Mar 2012 21:53:22 -0800 

    [ 
https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13222172#comment-13222172
 ] 

Hanson Char commented on CODEC-134:
-----------------------------------

Hi Gary,

I am not sure I understand the meaning of the name "CODEC_101_MULTIPLE_OF_3".  
Does it mean a multiple of 3 in terms of the number of bits or bytes ?  If it 
is bytes, both "123" and "124" contain 3 bytes.  If it is the number of "1" in 
the UTF-8 bit array, the byte array of "123" contains 10 bits (on) whereas that 
of "124" contains 9 bits.

In the only two test cases (in Base64InputStreamTest.java) where 
CODEC_101_MULTIPLE_OF_3 is used, CODEC_101_MULTIPLE_OF_3 appears to be used 
simply as a straight base 64 encoded string that the test case attempt to 
decode (via a Base64InputStream).  Since the "123" cannot be a possible base 64 
encoded value, the two test cases should fail rather than pass.

What am I missing ?

Regards,
Hanson
                
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
>                 Key: CODEC-134
>                 URL: https://issues.apache.org/jira/browse/CODEC-134
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.6
>         Environment: All
>            Reporter: Hanson Char
>              Labels: security
>         Attachments: diff-120304-20.txt, patch.txt
>
>
> Example, there is no byte array value that can be encoded into the string 
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation 
> would not reject it but decode it into an arbitrary value which if re-encoded 
> again using the same implementation would result in the string 
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should 
> reject it (eg by throwing IlleglArgumentException) to avoid security 
> exploitation (such as tunneling additional information via seemingly valid 
> base 32 strings).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to