From: mame@...
Date: 2015-01-14T05:43:43+00:00
Subject: [ruby-core:67575] [ruby-trunk - Feature #10740] [Feedback] Base64 urlsafe methods are not urlsafe

Issue #10740 has been updated by Yusuke Endoh.

Tracker changed from Bug to Feature
Status changed from Open to Feedback
Assignee set to Yusuke Endoh

Hello, I'm a maintainer of lib/base64.

I don't think that this is a bug.  RFC 4648 is still the latest standard of Base64.  (Note that RFC 6920 does not obsolete RFC 4648.)  Because lib/base64 is an implementation of Base64, it should comply with RFC 4648, at least, by default.  Moving to the feature tracker.

I found Python's ticket about the same issue: http://bugs.python.org/issue1661108
They decided to follow the spec, as-is, even though it looks broken.  I respect them.


That being said, I understand that the current behavior is not useful for some people.  I don't think it is a good idea to change the behavior because of compatibility issue (as akr said), but I'm happy to add something like "no padding" option.  However, RFC 4648 also says:

> The pad character "=" is typically percent-encoded when used in an
> URI [9], but if the data length is known implicitly, this can be
> avoided by skipping the padding; see section 3.2.

I have no idea what it is talking about; the data length is known with or without padding.  But spec is spec.  According to it, I think urlsafe_decode64 must receive the data length argument.  I have no idea how the method should handle the argument, though ;-(  I'm unsure if this is a right direction.

Related discussion: http://stackoverflow.com/questions/4080988/why-does-base64-encoding-requires-padding-if-the-input-length-is-not-divisible-b

So, I'm uncertain what to do.  Any idea?

-- 
Yusuke Endoh <mame@ruby-lang.org>

----------------------------------------
Feature #10740: Base64 urlsafe methods are not urlsafe
https://bugs.ruby-lang.org/issues/10740#change-50986

* Author: Scott Blum
* Status: Feedback
* Priority: Normal
* Assignee: Yusuke Endoh
----------------------------------------
Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters.
Base64.urlsafe_encode64 produces trailing '=' characters.

'=' is not web safe, and is not recommended for base64url.  Some specs even disallow.

Suggested fix:

~~~
  # Returns the Base64-encoded version of +bin+.
  # This method complies with ``Base 64 Encoding with URL and Filename Safe
  # Alphabet'' in RFC 4648.
  # The alphabet uses '-' instead of '+' and '_' instead of '/'
  # and has no trailing pad characters.
  def urlsafe_encode64(bin)
    strict_encode64(bin).tr("+/", "-_").tr('=', '')
  end

  # Returns the Base64-decoded version of +str+.
  # This method complies with ``Base 64 Encoding with URL and Filename Safe
  # Alphabet'' in RFC 4648.
  # The alphabet uses '-' instead of '+' and '_' instead of '/'.
  # Trailing pad characters are optional.
  def urlsafe_decode64(str)
    str = str.tr("-_", "+/")
    str = str.ljust((str.length + 3) & ~3, '=')
    strict_decode64(str)
  end
~~~


---Files--------------------------------
base64-urlsafe-encode64-search-result.txt (19.9 KB)


-- 
https://bugs.ruby-lang.org/