From: bascule@... Date: 2015-01-16T04:44:49+00:00 Subject: [ruby-core:67617] [ruby-trunk - Feature #10740] Base64 urlsafe methods are not urlsafe Issue #10740 has been updated by Tony Arcieri. Hi Yusuke, The specific text in RFC4648 is here: "Implementations MUST include appropriate pad characters at the end of encoded data **unless the specification referring to this document explicitly states otherwise.**" There is a very specific allowance in RFC4648 to support unpadded base64url encoding for *any* RFC which chooses to omit it. ---------------------------------------- Feature #10740: Base64 urlsafe methods are not urlsafe https://bugs.ruby-lang.org/issues/10740#change-51038 * Author: Scott Blum * Status: Feedback * Priority: Normal * Assignee: Yusuke Endoh ---------------------------------------- Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters. Base64.urlsafe_encode64 produces trailing '=' characters. '=' is not web safe, and is not recommended for base64url. Some specs even disallow. Suggested fix: ~~~ # Returns the Base64-encoded version of +bin+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/' # and has no trailing pad characters. def urlsafe_encode64(bin) strict_encode64(bin).tr("+/", "-_").tr('=', '') end # Returns the Base64-decoded version of +str+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/'. # Trailing pad characters are optional. def urlsafe_decode64(str) str = str.tr("-_", "+/") str = str.ljust((str.length + 3) & ~3, '=') strict_decode64(str) end ~~~ ---Files-------------------------------- base64-urlsafe-encode64-search-result.txt (19.9 KB) -- https://bugs.ruby-lang.org/