[
https://issues.apache.org/jira/browse/CODEC-134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832596#comment-16832596
]
Tim Mousaw commented on CODEC-134:
----------------------------------
I'm sorry - I'm new to the GitHub PR process. I created the following -
[https://github.com/tmousaw-ptc/commons-codec/pull/1]. But that appears to be a
PR to merge into my own forked master branch. I'm assuming you need a merge
request from my forked repository to the upstream repository?
> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
> Key: CODEC-134
> URL: https://issues.apache.org/jira/browse/CODEC-134
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.6
> Environment: All
> Reporter: Hanson Char
> Priority: Major
> Labels: security
> Attachments: diff-120305-20.txt
>
>
> Example, there is no byte array value that can be encoded into the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation
> would not reject it but decode it into an arbitrary value which if re-encoded
> again using the same implementation would result in the string
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should
> reject it (eg by throwing IlleglArgumentException) to avoid security
> exploitation (such as tunneling additional information via seemingly valid
> base 32 strings).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
