[ https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844994#comment-16844994 ]
Michel Schudel commented on CODEC-134: -------------------------------------- Very nice! I just checked the PR and found out everything seems ok, but you guys were ahead of me. Thanks for the PR and looking forward to a release! > Base32 would decode some invalid Base32 encoded string into arbitrary value > --------------------------------------------------------------------------- > > Key: CODEC-134 > URL: https://issues.apache.org/jira/browse/CODEC-134 > Project: Commons Codec > Issue Type: Bug > Affects Versions: 1.6 > Environment: All > Reporter: Hanson Char > Assignee: Gary Gregory > Priority: Major > Labels: security > Fix For: 1.13 > > Attachments: diff-120305-20.txt > > Time Spent: 10m > Remaining Estimate: 0h > > Example, there is no byte array value that can be encoded into the string > "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation > would not reject it but decode it into an arbitrary value which if re-encoded > again using the same implementation would result in the string > "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===". > Instead of blindly decoding the invalid string, the Base32 codec should > reject it (eg by throwing IlleglArgumentException) to avoid security > exploitation (such as tunneling additional information via seemingly valid > base 32 strings). -- This message was sent by Atlassian JIRA (v7.6.3#76005)