cURL / Mailing Lists / curl-library / Single Mail

curl-library

Base64 decoding

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Mon, 28 Oct 2013 22:34:30 +0000

Dear all,

 

Over the weekend I have been pushing some changes to the SASL authentication
in IMAP, POP3 and SMTP that I have wanted to do for a long time - it is
currently in the TODO docs and hopefully I will remove it shortly ;-)

 

Previously if anything went wrong with any challenge type message received
from the server, and by that I mean for example: the DIGEST-MD5 parameters
given by the server weren't what we were expecting or the NTLM message
decoding failed, then we simply issued a log off command, gave up and
returned an appropriate error code such as CURLE_LOGIN_DENIED.

 

What I have done for phase one, is handled any errors gracefully by sending
the "*" response back to the server, this instructs the server to cancel our
log in attempt and return to the authentication state. From there we have
two options, we can either safely log off and return an appropriate error
code such as CURLE_LOGIN_DENIED (which is what I've currently implemented)
or possibly try another authentication mechanism (which is what I would like
to implement for phrase two).

 

Anyway, that's the background.

 

What I noticed whilst I was doing this is that we, currently, don't perform
any validation against the base64 strings that we receive from a server. My
understanding is that a base64 string:

 

* Should be multiple of 4 characters

* Can have up to 2 padding characters "=" at the end

 

For example:

 

If we were to encode the word "curl" it generates "Y3VybA==" which as you
can see is 8 characters long and has the two padding characters at the end.

 

My question is should we be performing validation as we attempt to decode
the strings, is it safer to do this or is attempting to decode as much as
possible as we do now the better way to go?

 

Now I must admit I don't know too much about base64 encoding / decoding but
I noticed some of the base64 decoders that I use on the web validate the
input [1] whilst others don't:

 

* One if you miss of the two =s off will return the decoded string
as "cur" and if you miss off one it returns "curl" with an unprintable
character after it [2]

* Whilst another, returns "curl" regardless of whether the input is
6, 7 or 8 characters [3]

 

Cheers in advance

 

Kind Regards

 

Steve

 

[1] = http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

[2] = http://www.motobit.com/util/base64-decoder-encoder.asp

[3] = http://www.base64decode.org/

 

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-28