[jira] [Work logged] (CODEC-134) Base32 would decode some invalid Base32 encoded string into arbitrary value

Mon, 20 May 2019 08:40:13 -0700 


     [ 
https://issues.apache.org/jira/browse/CODEC-134?focusedWorklogId=245235&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-245235
 ]

ASF GitHub Bot logged work on CODEC-134:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/May/19 15:39
            Start Date: 20/May/19 15:39
    Worklog Time Spent: 10m 
      Work Description: garydgregory commented on pull request #19: CODEC-134: 
Update commons-codec to reject decoding any impossible string encoding for 
Base32 and Base64.
URL: https://github.com/apache/commons-codec/pull/19
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 245235)
            Time Spent: 10m
    Remaining Estimate: 0h

> Base32 would decode some invalid Base32 encoded string into arbitrary value
> ---------------------------------------------------------------------------
>
>                 Key: CODEC-134
>                 URL: https://issues.apache.org/jira/browse/CODEC-134
>             Project: Commons Codec
>          Issue Type: Bug
>    Affects Versions: 1.6
>         Environment: All
>            Reporter: Hanson Char
>            Priority: Major
>              Labels: security
>         Attachments: diff-120305-20.txt
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Example, there is no byte array value that can be encoded into the string 
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4L===", but the existing Base32 implementation 
> would not reject it but decode it into an arbitrary value which if re-encoded 
> again using the same implementation would result in the string 
> "C5CYMIHWQUUZMKUGZHGEOSJSQDE4K===".
> Instead of blindly decoding the invalid string, the Base32 codec should 
> reject it (eg by throwing IlleglArgumentException) to avoid security 
> exploitation (such as tunneling additional information via seemingly valid 
> base 32 strings).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to