Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

Arnaud Yahoo
Hello,

I am using a 3rd party valve for OpenId Connect authentication that stop
working upgrading from tomcat 8.5.24 to 8.5.46

I managed to isolate the issue behing this and it is caused by a change
in org.apache.tomcat.util.codec.binary.Base64

It can be reproduce with a simple test case

@Test
     public void decodeBase64Test() {
         String str =
"YZJXP8zFDY6WPk1NZx4RtkH95lA4H_GM_XmFjouJImtqy-PD27-GUYVrCq1QM3M09TzRFZTL4aMMTweZFj3h1M-4Pqb4xrRq9URICQ9ffpnB9OGKjEwEpzhICwbE8C8-zEbhFOEgdXcyeP0pJc9uHEUH9Z4rTEg0jxmOmffIAbX9zfjhIla0XUsFd2C2QQGXu1nTFrb2EqfhLDls4ZLCcnLZE6Be3SpHCtvZiFN4w3xlI0TZitX4S3SjTocK4Xobb3Ey0RnewDP6jw78JniFTbuuGB962GlHDJvaQoda2dON9j7Yhv_pTvxBlHDmIKYINYsBfTwEQ_qtLJtmcvv41Q";

assertArrayEquals(org.apache.tomcat.util.codec.binary.Base64.decodeBase64(str),
java.util.Base64.getUrlDecoder().decode(str));
     }

This test is ok with 8.5.24 but fails with 8.5.46. Are there any known
issues with Base64 utility ?

Arnaud



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

Konstantin Kolinko
вт, 8 окт. 2019 г. в 12:24, Arnaud Yahoo <[hidden email]>:

>
> Hello,
>
> I am using a 3rd party valve for OpenId Connect authentication that stop
> working upgrading from tomcat 8.5.24 to 8.5.46
>
> I managed to isolate the issue behing this and it is caused by a change
> in org.apache.tomcat.util.codec.binary.Base64
>
> It can be reproduce with a simple test case
>
> @Test
>      public void decodeBase64Test() {
>          String str =
> "YZJXP8zFDY6WPk1NZx4RtkH95lA4H_GM_XmFjouJImtqy-PD27-GUYVrCq1QM3M09TzRFZTL4aMMTweZFj3h1M-4Pqb4xrRq9URICQ9ffpnB9OGKjEwEpzhICwbE8C8-zEbhFOEgdXcyeP0pJc9uHEUH9Z4rTEg0jxmOmffIAbX9zfjhIla0XUsFd2C2QQGXu1nTFrb2EqfhLDls4ZLCcnLZE6Be3SpHCtvZiFN4w3xlI0TZitX4S3SjTocK4Xobb3Ey0RnewDP6jw78JniFTbuuGB962GlHDJvaQoda2dON9j7Yhv_pTvxBlHDmIKYINYsBfTwEQ_qtLJtmcvv41Q";
>
> assertArrayEquals(org.apache.tomcat.util.codec.binary.Base64.decodeBase64(str),
> java.util.Base64.getUrlDecoder().decode(str));
>      }
>
> This test is ok with 8.5.24 but fails with 8.5.46. Are there any known
> issues with Base64 utility ?

Please test with 8.5.47 release candidate that is currently being
voted (see e-mails on the dev@ list for links).

There have been changes in the decoding code between 8.5.46 and .47.

c8fcc65e74d43b8201a50a30f88836264e565f79
709b45b42020d6cbc59940ab04380f5b0134b946
(on 17 and 18 of September)

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

markt
On 08/10/2019 11:26, Konstantin Kolinko wrote:

> вт, 8 окт. 2019 г. в 12:24, Arnaud Yahoo <[hidden email]>:
>>
>> Hello,
>>
>> I am using a 3rd party valve for OpenId Connect authentication that stop
>> working upgrading from tomcat 8.5.24 to 8.5.46
>>
>> I managed to isolate the issue behing this and it is caused by a change
>> in org.apache.tomcat.util.codec.binary.Base64
>>
>> It can be reproduce with a simple test case
>>
>> @Test
>>      public void decodeBase64Test() {
>>          String str =
>> "YZJXP8zFDY6WPk1NZx4RtkH95lA4H_GM_XmFjouJImtqy-PD27-GUYVrCq1QM3M09TzRFZTL4aMMTweZFj3h1M-4Pqb4xrRq9URICQ9ffpnB9OGKjEwEpzhICwbE8C8-zEbhFOEgdXcyeP0pJc9uHEUH9Z4rTEg0jxmOmffIAbX9zfjhIla0XUsFd2C2QQGXu1nTFrb2EqfhLDls4ZLCcnLZE6Be3SpHCtvZiFN4w3xlI0TZitX4S3SjTocK4Xobb3Ey0RnewDP6jw78JniFTbuuGB962GlHDJvaQoda2dON9j7Yhv_pTvxBlHDmIKYINYsBfTwEQ_qtLJtmcvv41Q";
>>
>> assertArrayEquals(org.apache.tomcat.util.codec.binary.Base64.decodeBase64(str),
>> java.util.Base64.getUrlDecoder().decode(str));
>>      }
>>
>> This test is ok with 8.5.24 but fails with 8.5.46. Are there any known
>> issues with Base64 utility ?
>
> Please test with 8.5.47 release candidate that is currently being
> voted (see e-mails on the dev@ list for links).
>
> There have been changes in the decoding code between 8.5.46 and .47.
>
> c8fcc65e74d43b8201a50a30f88836264e565f79
> 709b45b42020d6cbc59940ab04380f5b0134b946
> (on 17 and 18 of September)

And you probably want
org.apache.tomcat.util.codec.binary.Base64.decodeBase64URLSafe(String)

The short(ish) version is:
- Commons CODEC fixed a bug to handle incomplete encodings at the end of
  the input (CODEC-134)
- That triggered a failure in one of Tomcat's unit tests
- Fixing the particular failure meant removing the "seamless" decoding
  of both standard and URL-safe Base64 with the same code
- We (OK, I) incorrectly thought Tomcat didn't need the URL-safe
  decoding so it was removed - this triggered the issue you describe
  above
- Testing of the HTTP/2 showed we did need it so it was restored but
  separate methods were provided for standard and URL-safe decoding

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

jonmcalexander
In reply to this post by Konstantin Kolinko
How do we get access to the dev list for information around release candidates, etc.?


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: Konstantin Kolinko <[hidden email]>
Sent: Tuesday, October 8, 2019 5:26 AM
To: Tomcat Users List <[hidden email]>
Subject: Re: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

вт, 8 окт. 2019 г. в 12:24, Arnaud Yahoo <[hidden email]>:

>
> Hello,
>
> I am using a 3rd party valve for OpenId Connect authentication that
> stop working upgrading from tomcat 8.5.24 to 8.5.46
>
> I managed to isolate the issue behing this and it is caused by a
> change in org.apache.tomcat.util.codec.binary.Base64
>
> It can be reproduce with a simple test case
>
> @Test
>      public void decodeBase64Test() {
>          String str =
> "YZJXP8zFDY6WPk1NZx4RtkH95lA4H_GM_XmFjouJImtqy-PD27-GUYVrCq1QM3M09TzRF
> ZTL4aMMTweZFj3h1M-4Pqb4xrRq9URICQ9ffpnB9OGKjEwEpzhICwbE8C8-zEbhFOEgdXc
> yeP0pJc9uHEUH9Z4rTEg0jxmOmffIAbX9zfjhIla0XUsFd2C2QQGXu1nTFrb2EqfhLDls4
> ZLCcnLZE6Be3SpHCtvZiFN4w3xlI0TZitX4S3SjTocK4Xobb3Ey0RnewDP6jw78JniFTbu
> uGB962GlHDJvaQoda2dON9j7Yhv_pTvxBlHDmIKYINYsBfTwEQ_qtLJtmcvv41Q";
>
> assertArrayEquals(org.apache.tomcat.util.codec.binary.Base64.decodeBas
> e64(str), java.util.Base64.getUrlDecoder().decode(str));
>      }
>
> This test is ok with 8.5.24 but fails with 8.5.46. Are there any known
> issues with Base64 utility ?

Please test with 8.5.47 release candidate that is currently being voted (see e-mails on the dev@ list for links).

There have been changes in the decoding code between 8.5.46 and .47.

c8fcc65e74d43b8201a50a30f88836264e565f79
709b45b42020d6cbc59940ab04380f5b0134b946
(on 17 and 18 of September)

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Bug in org.apache.tomcat.util.codec.binary.Base64.decodeBase64 ?

Konstantin Kolinko
ср, 9 окт. 2019 г. в 00:06, <[hidden email]>:
>
> How do we get access to the dev list for information around release candidates, etc.?

In the same way as for the current (users) mailing list that you are writing to:
either subscribe or read past messages in an archive.
http://tomcat.apache.org/lists.html

And do not forget to follow the rules. They are the same as for the users list:
http://tomcat.apache.org/lists.html#tomcat-users
6. Top-posting is bad.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]