I forgot to add that in my dirty fix I changed the line 186 to :
*byte[] bin = Base64.decodeBase64(in.replace(' ', '+').getBytes("UTF-8"));
*
Changing the line 152 is certainly not important since the browser will
change the "+" to " " anyway.*
*Before trying to do any fancy fix, I would like to know if people are
seeing this as a bug or I am missing something.*
*thanks
On Fri, May 14, 2010 at 1:33 PM, franck tankoua <[email protected]> wrote:
> Hi,
>
> I have caught a problem while using the secureToken in an encrypted way.
>
> if you checkout the "wrap" method of the "BasicBlobCrypter.java", you will
> see that it can actually output String with "+" character
> Example: "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X*
> +*Ba5of7Saw1lGygGothxUvRmIYp8QqT*+*
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
>
> the problem is that when the gadget sends the request back, the "st"
> parameter is in the url ( GET method) and browsers ( firefox, chrome ) skip
> the '+' character and replace them with ' '.
>
> So in the example above, the string which comes back is actually
> "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X
> Ba5of7Saw1lGygGothxUvRmIYp8QqT
> HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11"
>
> Note there is no "+" anymore.
>
> Just as a proof of concept, I have changed the line 152 of
> BasicBlobCrypter to *return new String(b64, UTF8).replace('+', ' ');*
> And it actually fixed my problem. This is a dirty fix and I would like to
> know if anybody ever stumbled upon this before.
>
> Thanks
>
> --
> Franck
>
--
Franck
