You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/10/25 15:36:58 UTC
[jira] [Commented] (QPID-7470) [Java Broker] Address
javax.xml.bind.DatatypeConverter shortcomings
[ https://issues.apache.org/jira/browse/QPID-7470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15605630#comment-15605630 ]
ASF subversion and git services commented on QPID-7470:
-------------------------------------------------------
Commit 1766547 from [~godfrer] in branch 'java/trunk'
[ https://svn.apache.org/r1766547 ]
QPID-7470 : Wrap use of DatatypeConverter.parseBase64Binary to validate that only valid characters exist within the string
> [Java Broker] Address javax.xml.bind.DatatypeConverter shortcomings
> -------------------------------------------------------------------
>
> Key: QPID-7470
> URL: https://issues.apache.org/jira/browse/QPID-7470
> Project: Qpid
> Issue Type: Task
> Components: Java Broker
> Reporter: Lorenz Quack
>
> javax.xml.bind.DatatypeConverterImpl#parseBase64Binary has shortcomings that we should address. It does not (as the java docs suggest) throw IllegalArgumentException when the argument contains characters outside the valid base64 value space. Instead it will skip invalid characters in the (7-bit) ASCII range and throw a ArrayIndexOutOfBoundsException on non-ASCII characters.
> We should guard against these cases. Maybe by wrapping javax.xml.bind.DatatypeConverterImpl in our own class and doing input validation there.
> See also (https://bugs.openjdk.java.net/browse/JDK-8168456)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org