You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Tim Mousaw (JIRA)" <ji...@apache.org> on 2019/07/12 14:13:00 UTC
[jira] [Commented] (CODEC-134) Base32 would decode some invalid
Base32 encoded string into arbitrary value
[ https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883844#comment-16883844 ]
Tim Mousaw commented on CODEC-134:
----------------------------------
I have the same question as [~pavanraju023]. I would appreciate a release soon as we have a software release coming up in a couple of weeks and I'd like to incorporate a published version rather than having to use a forked copy.
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
> Key: CODEC-134
> URL: https://issues.apache.org/jira/browse/CODEC-134
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.6
> Environment: All
> Reporter: Hanson Char
> Assignee: Gary Gregory
> Priority: Major
> Labels: security
> Fix For: 1.13
>
> Attachments: diff-120305-20.txt
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings).
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)