Code Monkey home page Code Monkey logo

base32's People

Contributors

afk11 avatar christianriesen avatar fbonzon avatar georgringer avatar jeroendesloovere avatar lucasmichot avatar nickshanks avatar peter279k avatar reedy avatar samuelwilliams avatar spomky avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar

base32's Issues

Need BadBase32Exception and errors if data cannot be decoded properly

... or \Base32\DecodeException

I found this test suite, the negative cases down the bottom are engineered to detect implementation errors we should add

Base32 hex: https://opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/modules/base32/base32hex.testsuite.auto.html
Base32: https://opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/modules/base32/base32.testsuite.auto.html

On the first, preg_replace should be removed and preg_match & fail used instead. An RFC respecting implementation probably shouldn't accept all that many possibilities, or if so, it could be put behind an options bitmask/whatever and not the default

If non-alphabet characters are ignored, instead of causing rejection
of the entire encoding (as recommended), a covert channel that can be
used to "leak" information is made possible.

https://tools.ietf.org/html/rfc4648#section-12

The rest might take a bit more work :)

Edit: found something else interesting

Similarly, when the base 16 and base 32 alphabets are handled case
insensitively, alteration of case can be used to leak information or
make string equality comparisons fail.

https://github.com/ChristianRiesen/base32/blob/master/src/Base32.php hmm, here we do strtoupper on input. Instead of doing this, we should require the upper case characters be used. The RFC quote here suggests you could make a covert channel to leak information by encoding it by varying the characters which are upper/lower case. I'm fairly sure that's what they mean about ignoring non-alphabet characters too btw

I think we could make this safer - If we see someone mixing case or using lower-case we should fail to decode and mention DECODE_UPPERCASE and DECODE_LOWERCASE in the error. If we tell them which option to use for the case they want we might avoid them using strtoupper/etc and introducing the issue into their own code

BUG - Unpacking signed chars, not unsigned chars

$chars = (array) \unpack('c*', $string, 0);

When unpacking the string, the $format used is 'c*' (signed char) - this is the wrong format, it leads to bytes larger than 0x7f being interpreted as negative integers. The correct format is 'C*' (unsigned char).

The tests cannot pick this up because they are limited to the ASCII space (0x00 - 0x7F).

Error decoding an entirely non-base32 string

In the decode() method, the first step is to check for an empty string:

if (strlen($base32String) == 0) {
    // Gives an empty string
    return '';
}

However, the second step is to strip out any non-base32 characters. If the string to decode is entirely non-base32 characters (granted, a strange thing to pass into a base32 decode method), the string will be left as an empty string. The empty string would then be split into an array here:

$base32Array = str_split($base32String); // $base32String is empty at this point

which sets $base32Array to be an array with a single item, an empty string (see here for the description of this "bug"). This causes the subsequent foreach loop to iterate once, on an empty string. That causes an error in the first line of the foreach loop:

foreach ($base32Array as $str) {
    $char = self::$decode[$str];

as $str here is an empty string and there is no such key in self::$decode.

It seems as though the approach in this library is to silently remove non-base32 characters (unlike the Python standard library, which throws a TypeError if a non Base32 string is passed to decode), so I will submit a Pull Request that should silently handle this problem.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.