New submission from Idan Moral <idan22mo...@gmail.com>:
Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding ('='/'=='), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8=') # b'hello' (valid) binascii.a2b_base64(b'aGVsbG8==') # b'hello' (ignoring data) binascii.a2b_base64(b'aGVsbG8=python') # b'hello' (ignoring data) Note: MANY libraries (such as the all-time favorite `base64`) use this function as their decoder. Why is it problematic: * User input can contain additional data after base64 data, which can lead to unintended behavior in products. * Well-crafted user input can be used to bypass conditions in code (example in the referenced tweet). * Can be used to target vulnerable libraries and bypass authentication mechanism such as JWT (potentially). The logic behind my fix PR on GitHub: * Before deciding to finish the function (after knowing the fact that we passed the data padding), we should check if there's no more data after the padding. * If excess data exists, we should raise an error, free the allocated writer, and return null. * Else, everything's fine, and we can proceed to the function's end as previously. Though not publicly disclosed, this behavior can lead to security issues in heavily-used projects. Preventing this behavior sounds more beneficial than harmful, since there's no known good usage for this behavior. >From what I read, the python implementation in not so close (when speaking >about this case of course) to the base64 RFC. (link: https://tools.ietf.org/html/rfc4648#section-3.3) Thanks to Ori Damari (twitter: https://twitter.com/0xrepnz) for bringing this behavior up, and thanks to Ryan Mast (twitter: https://twitter.com/rmast), and many of the other great guys for discussing the problem in the comments. Link to the tweet: https://twitter.com/0xrepnz/status/1355295649915404291 -------------------------- Idan Moral Twitter: https://twitter.com/idan_moral GitHub: https://github.com/idan22moral ---------- components: Library (Lib) messages: 386032 nosy: idan22moral priority: normal severity: normal status: open title: Excess data in not handled properly in binascii.a2b_base64() type: security versions: Python 3.10 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue43086> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com