From: mame@... Date: 2015-01-17T02:49:26+00:00 Subject: [ruby-core:67644] [ruby-trunk - Feature #10740] Base64 urlsafe methods are not urlsafe Issue #10740 has been updated by Yusuke Endoh. Nobuyoshi Nakada wrote: > Why does `urlsafe_decode64` use `strict_decode64`, but not just `unpack("m")`? unpack("m") and Base64.decode64 are based on RFC 2045. unpack("m0"), Base64.strict_decode64, and Base64.urlsafe_decode64 (base64url) are based on RFC 4648. RFC 2045 allows characters outside the base alphabet, such as CR and LF, and RFC 4648 does not (by default). -- Yusuke Endoh ---------------------------------------- Feature #10740: Base64 urlsafe methods are not urlsafe https://bugs.ruby-lang.org/issues/10740#change-51065 * Author: Scott Blum * Status: Feedback * Priority: Normal * Assignee: Yusuke Endoh ---------------------------------------- Base64.urlsafe_decode64 is not to spec, because it currently REQUIRES appropriate trailing '=' characters. Base64.urlsafe_encode64 produces trailing '=' characters. '=' is not web safe, and is not recommended for base64url. Some specs even disallow. Suggested fix: ~~~ # Returns the Base64-encoded version of +bin+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/' # and has no trailing pad characters. def urlsafe_encode64(bin) strict_encode64(bin).tr("+/", "-_").tr('=', '') end # Returns the Base64-decoded version of +str+. # This method complies with ``Base 64 Encoding with URL and Filename Safe # Alphabet'' in RFC 4648. # The alphabet uses '-' instead of '+' and '_' instead of '/'. # Trailing pad characters are optional. def urlsafe_decode64(str) str = str.tr("-_", "+/") str = str.ljust((str.length + 3) & ~3, '=') strict_decode64(str) end ~~~ ---Files-------------------------------- base64-urlsafe-encode64-search-result.txt (19.9 KB) urlsafe_base64.patch (2.97 KB) -- https://bugs.ruby-lang.org/