From: mame@...
Date: 2015-01-15T03:46:48+00:00
Subject: [ruby-core:67597] [ruby-trunk - Feature #10740] Base64 urlsafe	methods are not urlsafe

Issue #10740 has been updated by Yusuke Endoh.


My point is so simple: lib/base64 should comply with RFC 4648 as far as possible.  Please explain your proposal based on RFC 4648 instead of RFC 6920 (that is NOT a spec of Base64), the behavior of the other libraries, etc.  If you think RFC 4648 is unreasonable, please tell it to IETF.

Tony Arcieri wrote:
> According to RFC4648 this is allowed.

I know.  RFC 6290 makes such an exception.  But there is no reason why THIS library does so.  Note that this library is general-purpose, not for a specific use case such as an URL.

Scott Blum wrote:
> Otherwise, you have the bizarre situation where: 
> 
> `Base64.urlsafe_decode64(SecureRandom.urlsafe_base64(len) # raises if len % 3 != 0`

The situation itself is unfortunate.

I noticed that RFC 4648 does not mention the case where the padding lacks.  It just says that the library MAY ignore extra paddings, though.

> If more than the allowed number
> of pad characters is found at the end of the string (e.g., a base 64
> string terminated with "==="), the excess pad characters MAY also be
> ignored.

So, it might be acceptable to tolerate unpadded input.  Of course, we must still care about a compatibility issue.

-- 
Yusuke Endoh <mame@ruby-lang.org>

----------------------------------------
Feature #10740: Base64 urlsafe methods are not urlsafe
https://bugs.ruby-lang.org/issues/10740#change-51018

* Author: Scott Blum
* Status: Feedback
* Priority: Normal
* Assignee: Yusuke Endoh
----------------------------------------
Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters.
Base64.urlsafe_encode64 produces trailing '=' characters.

'=' is not web safe, and is not recommended for base64url.  Some specs even disallow.

Suggested fix:

~~~
  # Returns the Base64-encoded version of +bin+.
  # This method complies with ``Base 64 Encoding with URL and Filename Safe
  # Alphabet'' in RFC 4648.
  # The alphabet uses '-' instead of '+' and '_' instead of '/'
  # and has no trailing pad characters.
  def urlsafe_encode64(bin)
    strict_encode64(bin).tr("+/", "-_").tr('=', '')
  end

  # Returns the Base64-decoded version of +str+.
  # This method complies with ``Base 64 Encoding with URL and Filename Safe
  # Alphabet'' in RFC 4648.
  # The alphabet uses '-' instead of '+' and '_' instead of '/'.
  # Trailing pad characters are optional.
  def urlsafe_decode64(str)
    str = str.tr("-_", "+/")
    str = str.ljust((str.length + 3) & ~3, '=')
    strict_decode64(str)
  end
~~~


---Files--------------------------------
base64-urlsafe-encode64-search-result.txt (19.9 KB)


-- 
https://bugs.ruby-lang.org/