-
-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Excess data in not handled properly in binascii.a2b_base64() #87252
Comments
Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding ('='/'=='), the excess data is ignored. Example: import binascii
binascii.a2b_base64(b'aGVsbG8=') # b'hello' (valid)
binascii.a2b_base64(b'aGVsbG8==') # b'hello' (ignoring data)
binascii.a2b_base64(b'aGVsbG8=python') # b'hello' (ignoring data) Note: MANY libraries (such as the all-time favorite Why is it problematic:
The logic behind my fix PR on GitHub:
Though not publicly disclosed, this behavior can lead to security issues in heavily-used projects. From what I read, the python implementation in not so close (when speaking about this case of course) to the base64 RFC. Thanks to Ori Damari (twitter: https://twitter.com/0xrepnz) for bringing this behavior up, Link to the tweet: https://twitter.com/0xrepnz/status/1355295649915404291 -------------------------- Idan Moral |
I've merged Idan's PR adding a strict_mode parameter to a2b_base64. It defaults to False for backwards compatibility. From a security perspective, it'd be _ideal_ if this were True. But I expect doing that would break a bunch of existing code and tests that has been relying on some of the former leniency behaviors so I recommended the conservative approach of the old-behavior default. It'd be a good thing to change it to True, but disruptive. We need motivating reason to do that. As it is a new feature due to the new parameter, this is for 3.11. Workaround for Pythons without this: do a validity check before calling a2b_base64. I suspect a regex could be constructed for that if you're careful. If you come up with one, please share it here. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: