From: mame@... Date: 2015-01-14T05:43:43+00:00 Subject: [ruby-core:67575] [ruby-trunk - Feature #10740] [Feedback] Base64 urlsafe methods are not urlsafe Issue #10740 has been updated by Yusuke Endoh. Tracker changed from Bug to Feature Status changed from Open to Feedback Assignee set to Yusuke Endoh Hello, I'm a maintainer of lib/base64. I don't think that this is a bug. RFC 4648 is still the latest standard of Base64. (Note that RFC 6920 does not obsolete RFC 4648.) Because lib/base64 is an implementation of Base64, it should comply with RFC 4648, at least, by default. Moving to the feature tracker. I found Python's ticket about the same issue: http://bugs.python.org/issue1661108 They decided to follow the spec, as-is, even though it looks broken. I respect them. That being said, I understand that the current behavior is not useful for some people. I don't think it is a good idea to change the behavior because of compatibility issue (as akr said), but I'm happy to add something like "no padding" option. However, RFC 4648 also says: > The pad character "=" is typically percent-encoded when used in an > URI [9], but if the data length is known implicitly, this can be > avoided by skipping the padding; see section 3.2. I have no idea what it is talking about; the data length is known with or without padding. But spec is spec. According to it, I think urlsafe_decode64 must receive the data length argument. I have no idea how the method should handle the argument, though ;-( I'm unsure if this is a right direction. Related discussion: http://stackoverflow.com/questions/4080988/why-does-base64-encoding-requires-padding-if-the-input-length-is-not-divisible-b So, I'm uncertain what to do. Any idea? -- Yusuke Endoh ---------------------------------------- Feature #10740: Base64 urlsafe methods are not urlsafe https://bugs.ruby-lang.org/issues/10740#change-50986 * Author: Scott Blum * Status: Feedback * Priority: Normal * Assignee: Yusuke Endoh ---------------------------------------- Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters. Base64.urlsafe_encode64 produces trailing '=' characters. '=' is not web safe, and is not recommended for base64url. Some specs even disallow. Suggested fix: ~~~ # Returns the Base64-encoded version of +bin+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/' # and has no trailing pad characters. def urlsafe_encode64(bin) strict_encode64(bin).tr("+/", "-_").tr('=', '') end # Returns the Base64-decoded version of +str+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/'. # Trailing pad characters are optional. def urlsafe_decode64(str) str = str.tr("-_", "+/") str = str.ljust((str.length + 3) & ~3, '=') strict_decode64(str) end ~~~ ---Files-------------------------------- base64-urlsafe-encode64-search-result.txt (19.9 KB) -- https://bugs.ruby-lang.org/