[TASK] Add strict parameter to base64url decode

PHP's base64_decode has a strict parameter to only accept characters of the corresponding base64 alphabet, see https://www.php.net/manual/en/function.base64-decode.php Resolves: #102620 Releases: main, 12.4 Change-Id: I39a038519ec1e884ba42f691c6dea76cbce772fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82271 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Dec 22, 2023 · b9cabb7 · b9cabb7
1 parent 72f2572
commit b9cabb7
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/typo3/sysext/core/Classes/Security/Nonce.php b/typo3/sysext/core/Classes/Security/Nonce.php
@@ -45,7 +45,7 @@ public static function fromHashSignedJwt(string $jwt): self
             $payload = self::decodeJwt($jwt, self::createSigningKeyFromEncryptionKey(Nonce::class), true);
             return GeneralUtility::makeInstance(
                 self::class,
-                StringUtility::base64urlDecode($payload['nonce'] ?? ''),
+                StringUtility::base64urlDecode($payload['nonce'] ?? '', true),
                 \DateTimeImmutable::createFromFormat(\DateTimeImmutable::RFC3339, $payload['time'] ?? null)
             );
         } catch (\Throwable $t) {

diff --git a/typo3/sysext/core/Classes/Utility/StringUtility.php b/typo3/sysext/core/Classes/Utility/StringUtility.php
@@ -189,11 +189,12 @@ public static function base64urlEncode(string $value): string
      *  + position #63: `_` (underscore) -> `/`
      *
      * @param string $value base64url decoded string
-     * @return string raw value
+     * @param bool $strict enforces to only allow characters contained in the base64(url) alphabet
+     * @return string|false raw value, or `false` if non-base64(url) characters were given in strict mode
      */
-    public static function base64urlDecode(string $value): string
+    public static function base64urlDecode(string $value, bool $strict = false): string|false
     {
-        return base64_decode(strtr($value, ['-' => '+', '_' => '/']));
+        return base64_decode(strtr($value, ['-' => '+', '_' => '/']), $strict);
     }
 
     /**

diff --git a/typo3/sysext/core/Tests/Unit/Utility/StringUtilityTest.php b/typo3/sysext/core/Tests/Unit/Utility/StringUtilityTest.php
@@ -389,6 +389,32 @@ public function base64urlDecodeWorks(string $rawValue, string $encodedValue): vo
         self::assertSame($rawValue, StringUtility::base64urlDecode($encodedValue));
     }
 
+    public static function base64urlStrictDataProvider(): \Generator
+    {
+        yield ['', ''];
+        yield ['YQ', 'a'];
+        yield ['YWE', 'aa'];
+        yield ['YWE-', 'aa>'];
+        yield ['YWE_', 'aa?'];
+        yield ['YWFh', 'aaa'];
+        yield ['YWFhYQ', 'aaaa'];
+        yield ['YWFhYQ!', false];
+        yield ['Y!W!E', false];
+        // `Y W E` is interesting - plain `base64_decode` strips inner spaces
+        yield ['Y W E', 'aa'];
+        yield ["Y\nW\nE", 'aa'];
+        yield ["Y\tW\tE", 'aa'];
+    }
+
+    /**
+     * @test
+     * @dataProvider base64urlStrictDataProvider
+     */
+    public function base64urlStrictDecodeWorks(string $encodedValue, string|bool $expectation): void
+    {
+        self::assertSame($expectation, StringUtility::base64urlDecode($encodedValue, true));
+    }
+
     public static function explodeEscapedDataProvider(): array
     {
         return [