You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee='https://github.com/gpshead'closed_at=<Date2021-07-19.00:56:06.939>created_at=<Date2021-01-31.18:11:52.985>labels= ['type-security', 'extension-modules', 'library', '3.11']
title='Excess data in not handled properly in binascii.a2b_base64()'updated_at=<Date2021-07-19.18:37:26.489>user='https://github.com/idan22moral'
Note: MANY libraries (such as the all-time favorite base64) use this function as their decoder.
Why is it problematic:
User input can contain additional data after base64 data, which can lead to unintended behavior in products.
Well-crafted user input can be used to bypass conditions in code (example in the referenced tweet).
Can be used to target vulnerable libraries and bypass authentication mechanism such as JWT (potentially).
The logic behind my fix PR on GitHub:
Before deciding to finish the function (after knowing the fact that we passed the data padding),
we should check if there's no more data after the padding.
If excess data exists, we should raise an error, free the allocated writer, and return null.
Else, everything's fine, and we can proceed to the function's end as previously.
Though not publicly disclosed, this behavior can lead to security issues in heavily-used projects.
Preventing this behavior sounds more beneficial than harmful, since there's no known good usage for this behavior.
I've merged Idan's PR adding a strict_mode parameter to a2b_base64. It defaults to False for backwards compatibility.
From a security perspective, it'd be _ideal_ if this were True. But I expect doing that would break a bunch of existing code and tests that has been relying on some of the former leniency behaviors so I recommended the conservative approach of the old-behavior default. It'd be a good thing to change it to True, but disruptive. We need motivating reason to do that.
As it is a new feature due to the new parameter, this is for 3.11.
Workaround for Pythons without this: do a validity check before calling a2b_base64. I suspect a regex could be constructed for that if you're careful. If you come up with one, please share it here.