[jira] [Commented] (SHIRO-766) ArrayIndexOutOfBoundsException in Base64#decode

Tue, 05 May 2020 12:16:48 -0700 


    [ 
https://issues.apache.org/jira/browse/SHIRO-766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17100200#comment-17100200
 ] 

Benjamin Marwell commented on SHIRO-766:
----------------------------------------

Since this code is inside the Cookie Manager, I assumed they might either fail 
the request or just create log spam if they were catched later, but I did not 
verify that. In any case, deleting an invalid cookie should be fine (tampering 
attempt?) and logging it directly at its source is better in any case.

If you have other needs, do not hesitate to ask!

> ArrayIndexOutOfBoundsException in Base64#decode
> -----------------------------------------------
>
>                 Key: SHIRO-766
>                 URL: https://issues.apache.org/jira/browse/SHIRO-766
>             Project: Shiro
>          Issue Type: Bug
>          Components: RememberMe
>            Reporter: Christoffer Eide
>            Priority: Minor
>             Fix For: 1.5.4
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> While investigating a bug in our application, I stumbled upon this mail 
> thread:
> https://www.mail-archive.com/[email protected]/msg05654.html
> We have encountered the same issue.
> In 
> {{org.apache.shiro.web.mgt.CookieRememberMeManager#getRememberedSerializedIdentity}}:
> {code}
> String base64 = getCookie().readValue(request, response);
> base64 = ensurePadding(base64);
> byte[] decoded = Base64.decode(base64);
> {code}
> If the cookie value contains characters that are not valid base64, the call 
> to {{Base64.decode}}, fails with:
> {noformat}
> java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length 30
>       at org.apache.shiro.codec.Base64.decode(Base64.java:470)
>       at org.apache.shiro.codec.Base64.decode(Base64.java:414)
> {noformat}
> It can be reproduced like this:
> {code}
> Base64.decode(ensurePadding("383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm"))
> {code}
> If the same value is passed to guavas base64 encoder, it fails with:
> {noformat}
> com.google.common.io.BaseEncoding$DecodingException: Unrecognized character: -
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to