[
https://issues.apache.org/jira/browse/SHIRO-766?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christoffer Eide updated SHIRO-766:
-----------------------------------
Description:
While investigating a bug in our application, I stumbled upon this mail thread:
https://www.mail-archive.com/[email protected]/msg05654.html
We have encountered the same issue.
In
{{org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity}}:
{code}
String base64 = getCookie().readValue(request, response);
base64 = ensurePadding(base64);
byte[] decoded = Base64.decode(base64);
{code}
If the cookie value contains characters that are not valid base64, the call to
{{Base64.decode}}, fails with:
{noformat}
java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
at org.apache.shiro.codec.Base64.decode(Base64.java:470)
at org.apache.shiro.codec.Base64.decode(Base64.java:414)
{noformat}
It can be reproduced like this:
{code}
Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
{code}
If the same value is passed to guavas base64 encoder, it fails with:
{noformat}
com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
{noformat}
was:
While investigating a bug in our application, I stumbled upon this mail thread:
https://www.mail-archive.com/[email protected]/msg05654.html
We have encountered the same issue.
In
{{org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity}}:
{code:lang=java}
String base64 = getCookie().readValue(request, response);
base64 = ensurePadding(base64);
byte[] decoded = Base64.decode(base64);
{code}
If the cookie value contains characters that are not valid base64, the call to
{{Base64.decode}}, fails with:
{noformat}
java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
at org.apache.shiro.codec.Base64.decode(Base64.java:470)
at org.apache.shiro.codec.Base64.decode(Base64.java:414)
{noformat}
It can be reproduced like this:
{code:lang=java}
Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
{code:lang=java}
If the same value is passed to guavas base64 encoder, it fails with:
{noformat}
com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
{noformat}
> ArrayIndexOutOfBoundsException in Base64#decode
> -----------------------------------------------
>
> Key: SHIRO-766
> URL: https://issues.apache.org/jira/browse/SHIRO-766
> Project: Shiro
> Issue Type: Bug
> Components: RememberMe
> Reporter: Christoffer Eide
> Priority: Minor
>
> While investigating a bug in our application, I stumbled upon this mail
> thread:
> https://www.mail-archive.com/[email protected]/msg05654.html
> We have encountered the same issue.
> In
> {{org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity}}:
> {code}
> String base64 = getCookie().readValue(request, response);
> base64 = ensurePadding(base64);
> byte[] decoded = Base64.decode(base64);
> {code}
> If the cookie value contains characters that are not valid base64, the call
> to {{Base64.decode}}, fails with:
> {noformat}
> java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
> at org.apache.shiro.codec.Base64.decode(Base64.java:470)
> at org.apache.shiro.codec.Base64.decode(Base64.java:414)
> {noformat}
> It can be reproduced like this:
> {code}
> Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
> {code}
> If the same value is passed to guavas base64 encoder, it fails with:
> {noformat}
> com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
