René's URL Explorer Experiment


Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython · GitHub

Open Graph Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython

X Title: bpo-43086: Added handling for excess data in binascii.a2b_base64 by idan22moral · Pull Request #24402 · python/cpython

Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8=') # b'hello' (valid) binascii.a2b_base64(b'aGVsbG8==') # b'hello' (ignoring data) binascii.a2b_base64(b'aGVsbG8=python') # b'hello' (ignoring data) Note: MANY libraries (such as the all-time favorite base64) use this function as their decoder. Why is it problematic: User input can contain additional data after base64 data, which can lead to unintended behavior in products. Well-crafted user input can be used to bypass conditions in code (example in the referenced tweet). Can be used to target vulnerable libraries and bypass authentication mechanism such as JWT (potentially). The logic behind my fix PR on GitHub: Before deciding to finish the function (after knowing the fact that we passed the data padding), we should check if there's no more data after the padding. If excess data exists, we should raise an error, free the allocated writer, and return null. Else, everything's fine, and we can proceed to the function's end as previously. Though not publicly disclosed, this behavior can lead to security issues in heavily-used projects. Preventing this behavior sounds more beneficial than harmful, since there's no known good usage for this behavior. From what I read, the python implementation in not so close (when speaking about this case of course) to the base64 RFC. (link: https://tools.ietf.org/html/rfc4648#section-3.3) Thanks to Ori Damari for bringing this behavior up, and thanks to Ryan Mast, and many of the other great guys for discussing the problem in the comments. Link to the tweet Idan Moral Twitter: https://twitter.com/idan_moral GitHub: https://github.com/idan22moral https://bugs.python.org/issue43086

Open Graph Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8='...

X Description: Currently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8=&...

Opengraph URL: https://github.com/python/cpython/pull/24402

X: @github

direct link

Domain: github.com

route-pattern/:user_id/:repository/pull/:id/files(.:format)
route-controllerpull_requests
route-actionfiles
fetch-noncev2:9fba84a7-c17e-c932-9f47-d621256ae6d8
current-catalog-service-hashae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b
request-id8A2E:96FA2:A5EDC5:E2CE21:6969E62A
html-safe-nonce3ebf5a620508b7136200055d906a46e456812d35187ca50c8efd86bf60e46d70
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4QTJFOjk2RkEyOkE1RURDNTpFMkNFMjE6Njk2OUU2MkEiLCJ2aXNpdG9yX2lkIjoiNDIzODc5Mzc0NjkyMTY3ODM3OCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9
visitor-hmacd83677ec1785527bb5124a50f4c344760f29842bf045c88a6134dfced66e0494
hovercard-subject-tagpull_request:564702859
github-keyboard-shortcutsrepository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///pull_requests/show/files
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/python/cpython/pull/24402/files
twitter:imagehttps://avatars.githubusercontent.com/u/19193227?s=400&v=4
twitter:cardsummary_large_image
og:imagehttps://avatars.githubusercontent.com/u/19193227?s=400&v=4
og:image:altCurrently, when providing binascii.a2b_base64() base-64 input with excess data after the padding (=/==), the excess data is ignored. Example: import binascii binascii.a2b_base64(b'aGVsbG8='...
og:site_nameGitHub
og:typeobject
hostnamegithub.com
expected-hostnamegithub.com
None7b32f1c7c4549428ee399213e8345494fc55b5637195d3fc5f493657579235e8
turbo-cache-controlno-preview
diff-viewunified
go-importgithub.com/python/cpython git https://github.com/python/cpython.git
octolytics-dimension-user_id1525981
octolytics-dimension-user_loginpython
octolytics-dimension-repository_id81598961
octolytics-dimension-repository_nwopython/cpython
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id81598961
octolytics-dimension-repository_network_root_nwopython/cpython
turbo-body-classeslogged-out env-production page-responsive full-width
disable-turbotrue
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
releasebdde15ad1b403e23b08bbd89b53fbe6bdf688cad
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/python/cpython/pull/24402/files#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fpull%2F24402%2Ffiles
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub SparkBuild and deploy intelligent appshttps://github.com/features/spark
GitHub ModelsManage and compare promptshttps://github.com/features/models
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fpython%2Fcpython%2Fpull%2F24402%2Ffiles
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fpull_requests%2Fshow%2Ffiles&source=header-repo&source_repo=python%2Fcpython
Reloadhttps://github.com/python/cpython/pull/24402/files
Reloadhttps://github.com/python/cpython/pull/24402/files
Reloadhttps://github.com/python/cpython/pull/24402/files
python https://github.com/python
cpythonhttps://github.com/python/cpython
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
Notifications https://github.com/login?return_to=%2Fpython%2Fcpython
Fork 33.9k https://github.com/login?return_to=%2Fpython%2Fcpython
Star 71.1k https://github.com/login?return_to=%2Fpython%2Fcpython
Code https://github.com/python/cpython
Issues 5k+ https://github.com/python/cpython/issues
Pull requests 2.1k https://github.com/python/cpython/pulls
Actions https://github.com/python/cpython/actions
Projects 31 https://github.com/python/cpython/projects
Security Uh oh! There was an error while loading. Please reload this page. https://github.com/python/cpython/security
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
Insights https://github.com/python/cpython/pulse
Code https://github.com/python/cpython
Issues https://github.com/python/cpython/issues
Pull requests https://github.com/python/cpython/pulls
Actions https://github.com/python/cpython/actions
Projects https://github.com/python/cpython/projects
Security https://github.com/python/cpython/security
Insights https://github.com/python/cpython/pulse
Sign up for GitHub https://github.com/signup?return_to=%2Fpython%2Fcpython%2Fissues%2Fnew%2Fchoose
terms of servicehttps://docs.github.com/terms
privacy statementhttps://docs.github.com/privacy
Sign inhttps://github.com/login?return_to=%2Fpython%2Fcpython%2Fissues%2Fnew%2Fchoose
gpsheadhttps://github.com/gpshead
python:mainhttps://github.com/python/cpython/tree/main
idan22moral:masterhttps://github.com/idan22moral/cpython/tree/master
Conversation 27 https://github.com/python/cpython/pull/24402
Commits 26 https://github.com/python/cpython/pull/24402/commits
Checks 0 https://github.com/python/cpython/pull/24402/checks
Files changed https://github.com/python/cpython/pull/24402/files
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
bpo-43086: Added handling for excess data in binascii.a2b_base64 https://github.com/python/cpython/pull/24402/files#top
Show all changes 26 commits https://github.com/python/cpython/pull/24402/files
52d83e9 Added handling for excess data in binascii.a2b_base64 idan22moral Jan 31, 2021 https://github.com/python/cpython/pull/24402/commits/52d83e9fa67b7b4cd246f34ecac9689b8cdf266d
557bce8 📜🤖 Added by blurb_it. blurb-it[bot] Jan 31, 2021 https://github.com/python/cpython/pull/24402/commits/557bce8b6bad1387e8f6fc886f9e8fa42c3031bb
6ed5193 Added if-state guard idan22moral Mar 13, 2021 https://github.com/python/cpython/pull/24402/commits/6ed5193a3d302e1200cf729bf5eb88d195c3cd72
4ee90f5 Merge branch 'master' of https://github.com/idan22moral/cpython idan22moral Mar 30, 2021 https://github.com/python/cpython/pull/24402/commits/4ee90f5b89bfd1cc256990a28e4fe83b43de7183
c7b723f Implemented the strict mode logic idan22moral Mar 30, 2021 https://github.com/python/cpython/pull/24402/commits/c7b723f4c776be794d3e7626fad62694434e3bb5
93f497a Merge branch 'master' of https://github.com/python/cpython idan22moral Mar 30, 2021 https://github.com/python/cpython/pull/24402/commits/93f497aa218675861df8e3165fcad17a032997aa
f6283d9 Trying to fix the "Check if generated files are up to date" failure idan22moral Apr 7, 2021 https://github.com/python/cpython/pull/24402/commits/f6283d9787f763ee925c9a97e0731d345379be40
cedbb85 Generated function signatures using clinic idan22moral Apr 7, 2021 https://github.com/python/cpython/pull/24402/commits/cedbb856cb14e13fe5bfc7581fcb49653e071869
69c96d5 Handle data in the middle of the padding in strict mode idan22moral Apr 12, 2021 https://github.com/python/cpython/pull/24402/commits/69c96d54e4c1a4992f00cbb0a8f895292b158296
3718ebd Added a test for strict mode idan22moral Apr 12, 2021 https://github.com/python/cpython/pull/24402/commits/3718ebd1c0ee0a8ec4b38f8884ea7a04290670a4
d0b60e2 Added a test for invalid data as the first character idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/d0b60e23dd5edaf2efa7a1b10192783381529dd2
afb95db Disallowed leading padding in strict mode idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/afb95dba830961aceda9070d69eb727405fbdd8d
3c5758b Added tests for padding-only input idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/3c5758b63211d2a8a037db018f0632674b179365
5f8df5b Added tests to validate the default behavior. idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/5f8df5b7768e62919db79e772de027be5206b093
644dbaf Described the changed of this pull request idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/644dbaf5871237da50aa08444e60a6a9b119dce9
464484c Modified syntax of RST idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/464484cd1e51d7db33a8235dbd3e5fe81fbad0fb
e1ccf8a Updated the docs to explain the strict_mode parameter idan22moral Jul 10, 2021 https://github.com/python/cpython/pull/24402/commits/e1ccf8aed107746bf52c21f3cf632760dd183ce2
d6a5cbf Moved declaration of state to the beginning to prevent multiple decla… idan22moral Jul 16, 2021 https://github.com/python/cpython/pull/24402/commits/d6a5cbfbc688711f6f53596e1722865455eb7957
5abc68f Merge branch 'main' into master idan22moral Jul 16, 2021 https://github.com/python/cpython/pull/24402/commits/5abc68ff528e8b3f4f31cf40bf14c1bb4628b659
08aa26c Corrected the RST syntax for argument in docs (italic) idan22moral Jul 16, 2021 https://github.com/python/cpython/pull/24402/commits/08aa26c3435cbc9f599eab7e5d6a87b717294dbd
2f1990e Corrected the RST syntax for argument in news (italic) idan22moral Jul 16, 2021 https://github.com/python/cpython/pull/24402/commits/2f1990e1e3bc4fcc024ae1fd982221da813b42e9
fa959bd Removed whitespace that lead to build failure idan22moral Jul 16, 2021 https://github.com/python/cpython/pull/24402/commits/fa959bd54f692807a6268f20403b4f56119bf302
a60a8c6 use self.assertEqual instead of assert == gpshead Jul 18, 2021 https://github.com/python/cpython/pull/24402/commits/a60a8c6ec438763b8403d80fb7130276b649e769
0307272 remove leadg `| ` characters in NEWS gpshead Jul 18, 2021 https://github.com/python/cpython/pull/24402/commits/03072726fe040ec0057d5d3ac0b995cc58918e35
d26e1eb Simplify the error messages. gpshead Jul 18, 2021 https://github.com/python/cpython/pull/24402/commits/d26e1ebc086f50f8bc9f2d1ae85600d8279ca9b1
652e7f4 update test for error message (Leading vs Malformed) gpshead Jul 18, 2021 https://github.com/python/cpython/pull/24402/commits/652e7f4e6395947c0e558647a7c46c927f544a7f
Clear filters https://github.com/python/cpython/pull/24402/files
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
binascii.rst https://github.com/python/cpython/pull/24402/files#diff-d8ff111ba7edab3404f42600a80f1a78c62dedaef5783cd5fa59d9dce0ba232f
test_binascii.py https://github.com/python/cpython/pull/24402/files#diff-aeec59865b47d3778520e9e507ff5ee4c06d96434433669b1abc4d36d425bde5
2021-01-31-18-24-54.bpo-43086.2_P-SH.rst https://github.com/python/cpython/pull/24402/files#diff-c1ff7111d7774dabf568d4642343d9d8766eaf82628bc7c7d1564f166e766dc5
binascii.c https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
binascii.c.h https://github.com/python/cpython/pull/24402/files#diff-e34d4c9e0ce6432d401a8778474cb8e8808d3fa11e8742e056df7d0c9f6fbeaf
Doc/library/binascii.rsthttps://github.com/python/cpython/pull/24402/files#diff-d8ff111ba7edab3404f42600a80f1a78c62dedaef5783cd5fa59d9dce0ba232f
View file https://github.com/idan22moral/cpython/blob/652e7f4e6395947c0e558647a7c46c927f544a7f/Doc/library/binascii.rst
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/python/cpython/pull/24402/{{ revealButtonHref }}
https://github.com/python/cpython/pull/24402/files#diff-d8ff111ba7edab3404f42600a80f1a78c62dedaef5783cd5fa59d9dce0ba232f
https://github.com/python/cpython/pull/24402/files#diff-d8ff111ba7edab3404f42600a80f1a78c62dedaef5783cd5fa59d9dce0ba232f
Lib/test/test_binascii.pyhttps://github.com/python/cpython/pull/24402/files#diff-aeec59865b47d3778520e9e507ff5ee4c06d96434433669b1abc4d36d425bde5
View file https://github.com/idan22moral/cpython/blob/652e7f4e6395947c0e558647a7c46c927f544a7f/Lib/test/test_binascii.py
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/python/cpython/pull/24402/{{ revealButtonHref }}
https://github.com/python/cpython/pull/24402/files#diff-aeec59865b47d3778520e9e507ff5ee4c06d96434433669b1abc4d36d425bde5
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
https://github.com/python/cpython/pull/24402/files#diff-aeec59865b47d3778520e9e507ff5ee4c06d96434433669b1abc4d36d425bde5
Misc/NEWS.d/next/Library/2021-01-31-18-24-54.bpo-43086.2_P-SH.rsthttps://github.com/python/cpython/pull/24402/files#diff-c1ff7111d7774dabf568d4642343d9d8766eaf82628bc7c7d1564f166e766dc5
View file https://github.com/idan22moral/cpython/blob/652e7f4e6395947c0e558647a7c46c927f544a7f/Misc/NEWS.d/next/Library/2021-01-31-18-24-54.bpo-43086.2_P-SH.rst
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/python/cpython/pull/24402/{{ revealButtonHref }}
Modules/binascii.chttps://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
View file https://github.com/idan22moral/cpython/blob/652e7f4e6395947c0e558647a7c46c927f544a7f/Modules/binascii.c
Open in desktop https://desktop.github.com
https://github.co/hiddenchars
https://github.com/python/cpython/pull/24402/{{ revealButtonHref }}
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
https://github.com/python/cpython/pull/24402/files#diff-ba5e0c9b1d3a07e484b80157530df909d6cbc13e479e464e9fe0e7744822653c
Modules/clinic/binascii.c.hhttps://github.com/python/cpython/pull/24402/files#diff-e34d4c9e0ce6432d401a8778474cb8e8808d3fa11e8742e056df7d0c9f6fbeaf
View file https://github.com/idan22moral/cpython/blob/652e7f4e6395947c0e558647a7c46c927f544a7f/Modules/clinic/binascii.c.h
Open in desktop https://desktop.github.com
how customized files appear on GitHubhttps://docs.github.com/github/administering-a-repository/customizing-how-changed-files-appear-on-github
Please reload this pagehttps://github.com/python/cpython/pull/24402/files
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width

URLs of crawlers that visited me.