You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Alex Herbert (Jira)" <ji...@apache.org> on 2019/11/24 22:34:00 UTC
[jira] [Commented] (CODEC-134) Base32 would decode some invalid
Base32 encoded string into arbitrary value
[ https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16981199#comment-16981199 ]
Alex Herbert commented on CODEC-134:
------------------------------------
This is not totally fixed. For example the fix for Base64 uses:
{code:java}
if ((context.ibitWorkArea & numBitsToDrop) != 0) {
{code}
This is called with either 2 or 4 as the numBitsToDrop argument. Thus you are only checking 1 bit of the possible trailing bits are not zero. It should be:
{code:java}
int mask = (1 << numBitsToDrop) - 1;
if ((context.ibitWorkArea & mask) != 0) {
{code}
This will check all the bits to drop are zero.
I will open a new ticket to demonstrate.
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
> Key: CODEC-134
> URL: https://issues.apache.org/jira/browse/CODEC-134
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.6
> Environment: All
> Reporter: Hanson Char
> Assignee: Gary D. Gregory
> Priority: Major
> Labels: security
> Fix For: 1.13
>
> Attachments: diff-120305-20.txt
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Example, there is no byte array value that can be encoded into the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation would not reject it but decode it into an arbitrary value which if re-encoded again using the same implementation would result in the string "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should reject it (eg by throwing IlleglArgumentException) to avoid security exploitation (such as tunneling additional information via seemingly valid base 32 strings).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)