[TASK] Add strict parameter to base64url decode

PHP's base64_decode has a strict parameter to only accept characters of the corresponding base64 alphabet, see https://www.php.net/manual/en/function.base64-decode.php Resolves: #102620 Releases: main, 12.4 Change-Id: I39a038519ec1e884ba42f691c6dea76cbce772fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82271 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>

[TASK] Add strict parameter to base64url decode
PHP's base64_decode has a strict parameter to only accept characters of the corresponding base64 alphabet, see https://www.php.net/manual/en/function.base64-decode.php Resolves: #102620 Releases: main, 12.4 Change-Id: I39a038519ec1e884ba42f691c6dea76cbce772fe Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82271 Tested-by: core-ci <typo3@b13.com> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
b9cabb72 · Oliver Hader · Oliver Hader · 72f25722 · b9cabb72 · b9cabb72
Commit b9cabb72 authored 1 year ago by Oliver Hader Committed by Oliver Hader 1 year ago
--- a/typo3/sysext/core/Classes/Security/Nonce.php
+++ b/typo3/sysext/core/Classes/Security/Nonce.php
@@ -45,7 +45,7 @@ class Nonce implements SigningSecretInterface
            $payload = self::decodeJwt($jwt, self::createSigningKeyFromEncryptionKey(Nonce::class), true);
            return GeneralUtility::makeInstance(
                self::class,
-                StringUtility::base64urlDecode($payload['nonce'] ?? ''),
+                StringUtility::base64urlDecode($payload['nonce'] ?? '', true),
                \DateTimeImmutable::createFromFormat(\DateTimeImmutable::RFC3339, $payload['time'] ?? null)
            );
        } catch (\Throwable $t) {

--- a/typo3/sysext/core/Classes/Utility/StringUtility.php
+++ b/typo3/sysext/core/Classes/Utility/StringUtility.php
@@ -189,11 +189,12 @@ class StringUtility
     *  + position #63: `_` (underscore) -> `/`
     *
     * @param string $value base64url decoded string
-     * @return string raw value
+     * @param bool $strict enforces to only allow characters contained in the base64(url) alphabet
+     * @return string|false raw value, or `false` if non-base64(url) characters were given in strict mode
     */
-    public static function base64urlDecode(string $value): string
+    public static function base64urlDecode(string $value, bool $strict = false): string|false
    {
-        return base64_decode(strtr($value, ['-' => '+', '_' => '/']));
+        return base64_decode(strtr($value, ['-' => '+', '_' => '/']), $strict);
    }
    /**

--- a/typo3/sysext/core/Tests/Unit/Utility/StringUtilityTest.php
+++ b/typo3/sysext/core/Tests/Unit/Utility/StringUtilityTest.php
@@ -389,6 +389,32 @@ final class StringUtilityTest extends UnitTestCase
        self::assertSame($rawValue, StringUtility::base64urlDecode($encodedValue));
    }
+    public static function base64urlStrictDataProvider(): \Generator
+    {
+        yield ['', ''];
+        yield ['YQ', 'a'];
+        yield ['YWE', 'aa'];
+        yield ['YWE-', 'aa>'];
+        yield ['YWE_', 'aa?'];
+        yield ['YWFh', 'aaa'];
+        yield ['YWFhYQ', 'aaaa'];
+        yield ['YWFhYQ!', false];
+        yield ['Y!W!E', false];
+        // `Y W E` is interesting - plain `base64_decode` strips inner spaces
+        yield ['Y W E', 'aa'];
+        yield ["Y\nW\nE", 'aa'];
+        yield ["Y\tW\tE", 'aa'];
+    }
+    /**
+     * @test
+     * @dataProvider base64urlStrictDataProvider
+     */
+    public function base64urlStrictDecodeWorks(string $encodedValue, string|bool $expectation): void
+    {
+        self::assertSame($expectation, StringUtility::base64urlDecode($encodedValue, true));
+    }
    public static function explodeEscapedDataProvider(): array
    {
        return [