atob accepts invalid base64 with garbage tail bits

RESOLVED INVALID

Status

()

Core
DOM
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: Igor Bukanov, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
For strings where length % 4 == 2 or length % 4 == 3 atob does not verify that the lower bits of that last base64 character should be zero. For example atob("QR==") gives "A" when the correct encoding for "A" is "QQ==". Similarly atob("QUG=") gives "AA" when the correct encodig for "AA" is "QUE=".
See the spec at http://www.whatwg.org/specs/web-apps/current-work/#dom-windowbase64-atob step 10 and the Note right after it.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

5 years ago
(In reply to Boris Zbarsky (:bz) from comment #1)
> See the spec at
> http://www.whatwg.org/specs/web-apps/current-work/#dom-windowbase64-atob
> step 10 and the Note right after it.

Any reason for that? It is strange that length % 4 == 1 that effectively provides 6 garbage bits is an error according to the step 5 while length % 2 == 2 and 4 garabage bits is not...
I expect the reason is that every UA does it that way already so changing it would be a web compat risk for no particularly good reason...

Furthermore, nothing else I've found anywhere defines base64 decoding, so there is no other spec that we're violating here, as far as I can tell.
You need to log in before you can comment on or make changes to this bug.