[
https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16865221#comment-16865221
]
Pavan Raju commented on CODEC-134:
----------------------------------
Hey folks,
Thanks for the fix above! Much appreciated.
Is there a plan for a release coming up soon? We're also looking at using the
1.13 release.
Thanks,
Pavan
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
> Key: CODEC-134
> URL: https://issues.apache.org/jira/browse/CODEC-134
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.6
> Environment: All
> Reporter: Hanson Char
> Assignee: Gary Gregory
> Priority: Major
> Labels: security
> Fix For: 1.13
>
> Attachments: diff-120305-20.txt
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Example, there is no byte array value that can be encoded into the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation
> would not reject it but decode it into an arbitrary value which if re-encoded
> again using the same implementation would result in the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should
> reject it (eg by throwing IlleglArgumentException) to avoid security
> exploitation (such as tunneling additional information via seemingly valid
> base 32 strings).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
