[
https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16817982#comment-16817982
]
Michel Schudel commented on CODEC-134:
--------------------------------------
No consensus yet? It's been 7 years.
I would say:
* It's a bug and a security vulnerability
* One would have to explicitly create malformed input in order to exploit this
In that case no major version is needed so 1.x would be fine. Any consumers of
the class that actually send malformed input would have to stay version 1.x-1
or fix their code.
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
> Key: CODEC-134
> URL: https://issues.apache.org/jira/browse/CODEC-134
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.6
> Environment: All
> Reporter: Hanson Char
> Priority: Major
> Labels: security
> Attachments: diff-120305-20.txt
>
>
> Example, there is no byte array value that can be encoded into the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation
> would not reject it but decode it into an arbitrary value which if re-encoded
> again using the same implementation would result in the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should
> reject it (eg by throwing IlleglArgumentException) to avoid security
> exploitation (such as tunneling additional information via seemingly valid
> base 32 strings).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
