From: dragonsinth@... Date: 2015-01-13T23:15:42+00:00 Subject: [ruby-core:67572] [ruby-trunk - Bug #10740] Base64 urlsafe methods are not urlsafe Issue #10740 has been updated by Scott Blum. https://github.com/ruby/ruby/pull/815 ---------------------------------------- Bug #10740: Base64 urlsafe methods are not urlsafe https://bugs.ruby-lang.org/issues/10740#change-50982 * Author: Scott Blum * Status: Open * Priority: Normal * Assignee: * ruby -v: ruby 2.1.3p242 (2014-09-19 revision 47630) [x86_64-darwin14.0] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters. Base64.urlsafe_encode64 produces trailing '=' characters. '=' is not web safe, and is not recommended for base64url. Some specs even disallow. Suggested fix: ~~~ # Returns the Base64-encoded version of +bin+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/' # and has no trailing pad characters. def urlsafe_encode64(bin) strict_encode64(bin).tr("+/", "-_").tr('=', '') end # Returns the Base64-decoded version of +str+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/'. # Trailing pad characters are optional. def urlsafe_decode64(str) str = str.tr("-_", "+/") str = str.ljust((str.length + 3) & ~3, '=') strict_decode64(str) end ~~~ -- https://bugs.ruby-lang.org/