Re: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

Tue, 08 Oct 2019 03:54:55 -0700 

On 08/10/2019 11:26, Konstantin Kolinko wrote:
> вт, 8 окт. 2019 г. в 12:24, Arnaud Yahoo <a_mer...@yahoo.fr.invalid>:
>>
>> Hello,
>>
>> I am using a 3rd party valve for OpenId Connect authentication that stop
>> working upgrading from tomcat 8.5.24 to 8.5.46
>>
>> I managed to isolate the issue behing this and it is caused by a change
>> in org.apache.tomcat.util.codec.binary.Base64
>>
>> It can be reproduce with a simple test case
>>
>> @Test
>>      public void decodeBase64Test() {
>>          String str =
>> "YZJXP8zFDY6WPk1NZx4RtkH95lA4H_GM_XmFjouJImtqy-PD27-GUYVrCq1QM3M09TzRFZTL4aMMTweZFj3h1M-4Pqb4xrRq9URICQ9ffpnB9OGKjEwEpzhICwbE8C8-zEbhFOEgdXcyeP0pJc9uHEUH9Z4rTEg0jxmOmffIAbX9zfjhIla0XUsFd2C2QQGXu1nTFrb2EqfhLDls4ZLCcnLZE6Be3SpHCtvZiFN4w3xlI0TZitX4S3SjTocK4Xobb3Ey0RnewDP6jw78JniFTbuuGB962GlHDJvaQoda2dON9j7Yhv_pTvxBlHDmIKYINYsBfTwEQ_qtLJtmcvv41Q";
>>
>> assertArrayEquals(org.apache.tomcat.util.codec.binary.Base64.decodeBase64(str),
>> java.util.Base64.getUrlDecoder().decode(str));
>>      }
>>
>> This test is ok with 8.5.24 but fails with 8.5.46. Are there any known
>> issues with Base64 utility ?
> 
> Please test with 8.5.47 release candidate that is currently being
> voted (see e-mails on the dev@ list for links).
> 
> There have been changes in the decoding code between 8.5.46 and .47.
> 
> c8fcc65e74d43b8201a50a30f88836264e565f79
> 709b45b42020d6cbc59940ab04380f5b0134b946
> (on 17 and 18 of September)

And you probably want
org.apache.tomcat.util.codec.binary.Base64.decodeBase64URLSafe(String)

The short(ish) version is:
- Commons CODEC fixed a bug to handle incomplete encodings at the end of
  the input (CODEC-134)
- That triggered a failure in one of Tomcat's unit tests
- Fixing the particular failure meant removing the "seamless" decoding
  of both standard and URL-safe Base64 with the same code
- We (OK, I) incorrectly thought Tomcat didn't need the URL-safe
  decoding so it was removed - this triggered the issue you describe
  above
- Testing of the HTTP/2 showed we did need it so it was restored but
  separate methods were provided for standard and URL-safe decoding

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to