I committed a fix to trunk that should take care of this. It uses commons-codec 1.4, which has a URL-safe version of base64.
On Fri, May 14, 2010 at 5:10 AM, franck tankoua <[email protected]> wrote: > I forgot to add that in my dirty fix I changed the line 186 to : > *byte[] bin = Base64.decodeBase64(in.replace(' ', '+').getBytes("UTF-8")); > * > Changing the line 152 is certainly not important since the browser will > change the "+" to " " anyway.* > > *Before trying to do any fancy fix, I would like to know if people are > seeing this as a bug or I am missing something.* > > *thanks > > On Fri, May 14, 2010 at 1:33 PM, franck tankoua <[email protected]> > wrote: > > > Hi, > > > > I have caught a problem while using the secureToken in an encrypted way. > > > > if you checkout the "wrap" method of the "BasicBlobCrypter.java", you > will > > see that it can actually output String with "+" character > > Example: > "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X* > > +*Ba5of7Saw1lGygGothxUvRmIYp8QqT*+* > > > HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11" > > > > the problem is that when the gadget sends the request back, the "st" > > parameter is in the url ( GET method) and browsers ( firefox, chrome ) > skip > > the '+' character and replace them with ' '. > > > > So in the example above, the string which comes back is actually > > "rANRaw1A3BTa0vSKGdkuXHVb6PHOIvqaKJ4mrlYRTvUZCX4GydOQMjua8xWTA0X > > Ba5of7Saw1lGygGothxUvRmIYp8QqT > > > HEwwsaDhloCD7YwE4Pi77QiWWuOWsG9OddPV3GMdEj43x3rvEDadRHoT757Kgc30NzIoRFomFhypQ/D11" > > > > Note there is no "+" anymore. > > > > Just as a proof of concept, I have changed the line 152 of > > BasicBlobCrypter to *return new String(b64, UTF8).replace('+', ' ');* > > And it actually fixed my problem. This is a dirty fix and I would like > to > > know if anybody ever stumbled upon this before. > > > > Thanks > > > > -- > > Franck > > > > > > -- > Franck > -- Paul Lindner -- [email protected] -- linkedin.com/in/plindner
