You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Alex Herbert (Jira)" <ji...@apache.org> on 2019/11/24 22:48:00 UTC

[jira] [Updated] (CODEC-270) Base32 and Base64 still allow decoding some invalid trailing characters

     [ https://issues.apache.org/jira/browse/CODEC-270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alex Herbert updated CODEC-270:
-------------------------------
    Description: 
Both Base32 and Base64 check that the final bits from the trailing digit that will be discarded are zero.

The test for the trailing bits in the final digits in Base64 is:
{code:java}
private long validateCharacter(final int numBitsToDrop, final Context context) {
    if ((context.ibitWorkArea & numBitsToDrop) != 0) {
{code}

It should be:
{code:java}
private long validateCharacter(final int numBitsToDrop, final Context context) {
    int mask = (1 << numBitsToDrop) - 1;
    if ((context.ibitWorkArea & mask) != 0) {
{code}

Likewise in Base32.

The following base64 is illegal but is still decoded:

{noformat}
AB==

A : 000000
B : 000001

byte = 00000000 + 0001 discarded 
{noformat}

Here the check for the 4 trailing bits to drop in this case checks only bit 3 and ignores bit 1 which is set.

Same for Base32, this is illegal:

{noformat}
AB======

A : 00000
B : 00001

byte = 00000000 + 01 discarded
{noformat}

But the check for the 2 trailing bits to drop in this case checks bit 2 and ignores bit 1 which is set.

Note: The test cases using "AC" has bit 2 set and so is flagged as invalid.



  was:
Both Base32 and Base64 check that the final bits from the trailing digit that will be discarded are zero.

The test for the trailing bits in the final digits in Base64 is:
{code:java}
private long validateCharacter(final int numBitsToDrop, final Context context) {
    if ((context.ibitWorkArea & numBitsToDrop) != 0) {
{code}

It should be:
{code:java}
private long validateCharacter(final int numBitsToDrop, final Context context) {
    int mask = (1 << numBitsToDrop) - 1;
    if ((context.ibitWorkArea & mask) != 0) {
{code}

Likewise in Base32.

The following currently are illegal but are still decoded:

{noformat}
AB==

A : 000000
B : 000001

byte = 00000000 + 0001 discarded 
{noformat}

But the check for the 4 trailing bits to drop in this case checks bit 3 and ignores bit 1 which is set.

Same for Base32

{noformat}
AB======

A : 00000
B : 00001

byte = 00000000 + 01 discarded
{noformat}

But the check for the 2 trailing bits to drop in this case checks bit 2 and ignores bit 1 which is set.

Note: The test cases using "AC" has bit 2 set and so is flagged as invalid.




> Base32 and Base64 still allow decoding some invalid trailing characters
> -----------------------------------------------------------------------
>
>                 Key: CODEC-270
>                 URL: https://issues.apache.org/jira/browse/CODEC-270
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.13
>            Reporter: Alex Herbert
>            Assignee: Alex Herbert
>            Priority: Minor
>
> Both Base32 and Base64 check that the final bits from the trailing digit that will be discarded are zero.
> The test for the trailing bits in the final digits in Base64 is:
> {code:java}
> private long validateCharacter(final int numBitsToDrop, final Context context) {
>     if ((context.ibitWorkArea & numBitsToDrop) != 0) {
> {code}
> It should be:
> {code:java}
> private long validateCharacter(final int numBitsToDrop, final Context context) {
>     int mask = (1 << numBitsToDrop) - 1;
>     if ((context.ibitWorkArea & mask) != 0) {
> {code}
> Likewise in Base32.
> The following base64 is illegal but is still decoded:
> {noformat}
> AB==
> A : 000000
> B : 000001
> byte = 00000000 + 0001 discarded 
> {noformat}
> Here the check for the 4 trailing bits to drop in this case checks only bit 3 and ignores bit 1 which is set.
> Same for Base32, this is illegal:
> {noformat}
> AB======
> A : 00000
> B : 00001
> byte = 00000000 + 01 discarded
> {noformat}
> But the check for the 2 trailing bits to drop in this case checks bit 2 and ignores bit 1 which is set.
> Note: The test cases using "AC" has bit 2 set and so is flagged as invalid.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)