cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Base64 decoding

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Mon, 28 Oct 2013 23:14:57 +0000

On Mon, 28 Oct 2013, Daniel Stenberg wrote:

> > My question is should we be performing validation as we attempt
> > to decode the strings, is it safer to do this or is attempting to
> > decode as much as possible as we do now the better way to go?
>
> My gut reaction tells me we should reject the entire thing if the input is
> deemed malformatted.

Those were my thoughts as well - In fact I've got a modified version of
Curl_base64_decode() in my private branch which does exactly that,
however...

> So, if it isn't a multiple of 4 characters or if there are more than two
> '=' as padding the input is just as wrong as if the input contain any
> illegal letters.
>
> It does make we wonder if it will hit back on us somewhere if
> something somewhere is now relying on our "sloppy" parser...

I searched the code for Curl_base64_decode() and found that it wasn't used
in too many places. Mainly in the sasl code, which I've made more robust and
made sure that strings are terminated, from my changes over the weekend,
rather than letting any subsequent CRLFs that may be present in the buffer
after the message go through to the function.

However, it is the uses in http_negotiate.c, krb.c, security.c and getpart.c
that I am little nervous about as I don't know those areas of code at all :(

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-10-29