-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Buffer.from('base64') decodes some white space as data #11987
Comments
I'm assuming Node.js doesn't throw on invalid base64 input for performance reasons. So it's basically "garbage in - garbage out". |
This is another issue, but there's technically no performance reason why Node's decoder could not throw on non-whitespace, non-alphabet characters. The current decoder can be upgraded without introducing any additional branching cost.
You're saying the lack of "=" padding plus extra trailing space is illegal? Node's decoder is supposed to ignore white space. It's also supposed to handle the lack of "=" padding. None of that is illegal.
There's nothing too unusual about this kind of input either. Imagine a MIME message scenario where the sender never added base64 padding, and an intermediary mail transport added trailing white space. |
Make sure trailing garbage is not treated as a valid base64 character. Fixes: nodejs#11987 PR-URL: nodejs#11995 Reviewed-By: Anna Henningsen <anna@addaleax.net>
Make sure trailing garbage is not treated as a valid base64 character. Fixes: nodejs/node#11987 PR-URL: nodejs/node#11995 Reviewed-By: Anna Henningsen <anna@addaleax.net>
I am writing a native addon to decode a buffer containing base64 directly into another buffer, without requiring the allocation of an interim string (see #11866 for why Node cannot decode base64 buffers directly).
I wrote a fuzz test to test my own decoder, and then decided to try it out on Node's base64 decoder.
There are a few cases where Node's decoder treats whitespace as actual data, rather than ignoring it. This happens when the "=" is left out:
In the failing cases, Node's decoder has interpolated a ">".
The text was updated successfully, but these errors were encountered: