Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython · GitHub
Open Graph Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython
X Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython
Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8=') # b'hello' (valid) binascii.a2b_base64(b'aGVsbG8==') # b'hello' (ignoring data) binascii.a2b_base64(b'aGVsbG8=python') # b'hello' (ignoring data) Note: MANY libraries (such as the all-time favorite base64) use this function as their decoder. Why is it problematic: User input can contain additional data after base64 data, which can lead to unintended behavior in products. Well-crafted user input can be used to bypass conditions in code (example in the referenced tweet). Can be used to target vulnerable libraries and bypass authentication mechanism such as JWT (potentially). The logic behind my fix PR on GitHub: Before deciding to finish the function (after knowing the fact that we passed the data padding), we should check if there's no more data after the padding. If excess data exists, we should raise an error, free the allocated writer, and return null. Else, everything's fine, and we can proceed to the function's end as previously. Though not publicly disclosed, this behavior can lead to security issues in heavily-used projects. Preventing this behavior sounds more beneficial than harmful, since there's no known good usage for this behavior. From what I read, the python implementation in not so close (when speaking about this case of course) to the base64 RFC. (link: https://tools.ietf.org/html/rfc4648#section-3.3) Thanks to Ori Damari for bringing this behavior up, and thanks to Ryan Mast, and many of the other great guys for discussing the problem in the comments. Link to the tweet Idan Moral Twitter: https://twitter.com/idan_moral GitHub: https://github.com/idan22moral https://bugs.python.org/issue43086
Open Graph Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8='...
X Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8=&...
Opengraph URL: https://github.com/python/cpython/pull/24402
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/checks(.:format) |
| route-controller | pull_requests |
| route-action | checks |
| fetch-nonce | v2:c4c305da-9a1e-4fe5-e4b5-1236e2f62c33 |
| current-catalog-service-hash | 87dc3bc62d9b466312751bfd5f889726f4f1337bdff4e8be7da7c93d6c00a25a |
| request-id | D038:125688:52127D:6F8426:6969B1A8 |
| html-safe-nonce | b008109f21d664d88d407b803af13fe375ba1277f4b09c27bcd22b8e1aedef9e |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEMDM4OjEyNTY4ODo1MjEyN0Q6NkY4NDI2OjY5NjlCMUE4IiwidmlzaXRvcl9pZCI6IjMwODcyMzMyMTAwNzY3Mzc5NjAiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | 70c7b050a10a2aba0ab767958bfe2797f48411d50f6cc92a41de7f8eb0bd289c |
| hovercard-subject-tag | pull_request:564702859 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,checks,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/python/cpython/pull/24402/checks |
| twitter:image | https://avatars.githubusercontent.com/u/19193227?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/19193227?s=400&v=4 |
| og:image:alt | Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8='... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | b23b8fcc855cd29bb04d6c94aafa62d336bf44eefa8229444eecc968cad03aee |
| turbo-cache-control | no-preview |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive full-width full-width-p-0 |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 0672399d88424758731ec07fe24509e23bb17fb5 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width