You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by franck tankoua <ft...@gmail.com> on 2010/05/14 13:33:22 UTC

problem with BasicBlobCrypter hmac with "+" character

Hi,

I have caught a problem while using the secureToken in an encrypted way.

if you checkout the "wrap" method of the "BasicBlobCrypter.java", you will
see that it can actually output String with "+" character
Example: "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X*+*
Ba5of7Saw1lGygGothxUvRmIYp8QqT*+*
HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"

the problem is that when the gadget sends the request back, the "st"
parameter is in the url ( GET method) and browsers ( firefox, chrome ) skip
the '+' character and replace them with ' '.

So in the example above, the string which comes back is actually
"rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X
Ba5of7Saw1lGygGothxUvRmIYp8QqT
HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"

Note there is no "+" anymore.

Just as a proof of concept, I have changed the line 152 of BasicBlobCrypter
to  *return new String(b64, UTF8).replace('+', ' ');*
And it actually fixed my problem.  This is a dirty fix and I would like to
know if anybody ever stumbled upon this before.

Thanks

-- 
Franck

Re: problem with BasicBlobCrypter hmac with "+" character

Posted by franck tankoua <ft...@gmail.com>.

Thanks Paul. I thought I was the only only one to have that problem.

Regards

On Mon, Jul 19, 2010 at 7:42 AM, Paul Lindner <pl...@linkedin.com> wrote:

> I committed a fix to trunk that should take care of this.  It uses
> commons-codec 1.4, which has a URL-safe version of base64.
>
> On Fri, May 14, 2010 at 5:10 AM, franck tankoua <ft...@gmail.com>
> wrote:
>
> > I forgot to add that in my dirty fix I changed the line 186 to :
> >  *byte[] bin = Base64.decodeBase64(in.replace(' ',
> '+').getBytes("UTF-8"));
> > *
> > Changing the line 152 is certainly not important since the browser will
> > change the "+" to " " anyway.*
> >
> > *Before trying to do any fancy fix, I would like to know if people are
> > seeing this as a bug or I am missing something.*
> >
> > *thanks
> >
> > On Fri, May 14, 2010 at 1:33 PM, franck tankoua <ft...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > I have caught a problem while using the secureToken in an encrypted
> way.
> > >
> > > if you checkout the "wrap" method of the "BasicBlobCrypter.java", you
> > will
> > > see that it can actually output String with "+" character
> > > Example:
> > "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X*
> > > +*Ba5of7Saw1lGygGothxUvRmIYp8QqT*+*
> > >
> >
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
> > >
> > > the problem is that when the gadget sends the request back, the "st"
> > > parameter is in the url ( GET method) and browsers ( firefox, chrome )
> > skip
> > > the '+' character and replace them with ' '.
> > >
> > > So in the example above, the string which comes back is actually
> > > "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X
> > > Ba5of7Saw1lGygGothxUvRmIYp8QqT
> > >
> >
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
> > >
> > > Note there is no "+" anymore.
> > >
> > > Just as a proof of concept, I have changed the line 152 of
> > > BasicBlobCrypter  to  *return new String(b64, UTF8).replace('+', ' ');*
> > > And it actually fixed my problem.  This is a dirty fix and I would like
> > to
> > > know if anybody ever stumbled upon this before.
> > >
> > > Thanks
> > >
> > > --
> > > Franck
> > >
> >
> >
> >
> > --
> > Franck
> >
>
>
>
> --
> Paul Lindner -- plindner@linkedin.com -- linkedin.com/in/plindner
>



-- 
Franck

Re: problem with BasicBlobCrypter hmac with "+" character

Posted by Paul Lindner <pl...@linkedin.com>.

I committed a fix to trunk that should take care of this.  It uses
commons-codec 1.4, which has a URL-safe version of base64.

On Fri, May 14, 2010 at 5:10 AM, franck tankoua <ft...@gmail.com> wrote:

> I forgot to add that in my dirty fix I changed the line 186 to :
>  *byte[] bin = Base64.decodeBase64(in.replace(' ', '+').getBytes("UTF-8"));
> *
> Changing the line 152 is certainly not important since the browser will
> change the "+" to " " anyway.*
>
> *Before trying to do any fancy fix, I would like to know if people are
> seeing this as a bug or I am missing something.*
>
> *thanks
>
> On Fri, May 14, 2010 at 1:33 PM, franck tankoua <ft...@gmail.com>
> wrote:
>
> > Hi,
> >
> > I have caught a problem while using the secureToken in an encrypted way.
> >
> > if you checkout the "wrap" method of the "BasicBlobCrypter.java", you
> will
> > see that it can actually output String with "+" character
> > Example:
> "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X*
> > +*Ba5of7Saw1lGygGothxUvRmIYp8QqT*+*
> >
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
> >
> > the problem is that when the gadget sends the request back, the "st"
> > parameter is in the url ( GET method) and browsers ( firefox, chrome )
> skip
> > the '+' character and replace them with ' '.
> >
> > So in the example above, the string which comes back is actually
> > "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X
> > Ba5of7Saw1lGygGothxUvRmIYp8QqT
> >
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
> >
> > Note there is no "+" anymore.
> >
> > Just as a proof of concept, I have changed the line 152 of
> > BasicBlobCrypter  to  *return new String(b64, UTF8).replace('+', ' ');*
> > And it actually fixed my problem.  This is a dirty fix and I would like
> to
> > know if anybody ever stumbled upon this before.
> >
> > Thanks
> >
> > --
> > Franck
> >
>
>
>
> --
> Franck
>



-- 
Paul Lindner -- plindner@linkedin.com -- linkedin.com/in/plindner

Re: problem with BasicBlobCrypter hmac with "+" character

Posted by franck tankoua <ft...@gmail.com>.

I forgot to add that in my dirty fix I changed the line 186 to :
 *byte[] bin = Base64.decodeBase64(in.replace(' ', '+').getBytes("UTF-8"));
*
Changing the line 152 is certainly not important since the browser will
change the "+" to " " anyway.*

*Before trying to do any fancy fix, I would like to know if people are
seeing this as a bug or I am missing something.*

*thanks

On Fri, May 14, 2010 at 1:33 PM, franck tankoua <ft...@gmail.com> wrote:

> Hi,
>
> I have caught a problem while using the secureToken in an encrypted way.
>
> if you checkout the "wrap" method of the "BasicBlobCrypter.java", you will
> see that it can actually output String with "+" character
> Example: "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X*
> +*Ba5of7Saw1lGygGothxUvRmIYp8QqT*+*
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
>
> the problem is that when the gadget sends the request back, the "st"
> parameter is in the url ( GET method) and browsers ( firefox, chrome ) skip
> the '+' character and replace them with ' '.
>
> So in the example above, the string which comes back is actually
> "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X
> Ba5of7Saw1lGygGothxUvRmIYp8QqT
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
>
> Note there is no "+" anymore.
>
> Just as a proof of concept, I have changed the line 152 of
> BasicBlobCrypter  to  *return new String(b64, UTF8).replace('+', ' ');*
> And it actually fixed my problem.  This is a dirty fix and I would like to
> know if anybody ever stumbled upon this before.
>
> Thanks
>
> --
> Franck
>



-- 
Franck