Improve parsing of base64-encoded strings

tvdijen · tvdijen · commit 7f86deed1602 · 2024-04-25T15:50:54.000+02:00
diff --git a/docs/simplesamlphp-customauth.md b/docs/simplesamlphp-customauth.md
@@ -335,7 +335,11 @@ class MyAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
      */
     private function checkPassword($passwordHash, $password)
     {
-        $passwordHash = base64_decode($passwordHash);
+        $passwordHash = base64_decode($passwordHash, true);
+        if (empty($passwordHash)) {
+            throw new \InvalidArgumentException("Password hash is empty or not a valid base64 encoded string.");
+        }
+
         $digest = substr($passwordHash, 0, 20);
         $salt = substr($passwordHash, 20);
 
diff --git a/modules/core/src/Controller/Redirection.php b/modules/core/src/Controller/Redirection.php
@@ -59,7 +59,7 @@ public function postredirect(Request $request): Response
         if ($redirId !== false) {
             $postId = $redirId;
         } elseif ($redirInfo !== false) {
-            $encData = base64_decode($redirInfo);
+            $encData = base64_decode($redirInfo, true);
 
             if (empty($encData)) {
                 throw new Error\BadRequest('Invalid RedirInfo data.');
diff --git a/src/SimpleSAML/Utils/Crypto.php b/src/SimpleSAML/Utils/Crypto.php
@@ -337,7 +337,12 @@ public function pem2der(string $pem): string
         }
         unset($lines[$last]);
 
-        return base64_decode(implode($lines));
+        $transform = base64_decode(implode($lines), true);
+        if (empty($transform)) {
+            throw new InvalidArgumentException("pem2der: input is empty or not a valid base64 encoded string.");
+        }
+
+        return $transform;
     }
 
 
diff --git a/tests/src/SimpleSAML/Utils/CryptoTest.php b/tests/src/SimpleSAML/Utils/CryptoTest.php
@@ -120,7 +120,7 @@ public function testAesDecrypt(): void
 uR2Yu0r4itInKx91D/l9y/08L5CIQyev9nAr27fh3Sshous4vbXRRcMcjqHDOrquD+2vqLyw7ygnbA9jA9TpB4hLZocvAWcTN8tyO82hiSY=
 CIPHER;
 
-        $decrypted = $this->cryptoUtils->aesDecrypt(base64_decode($ciphertext));
+        $decrypted = $this->cryptoUtils->aesDecrypt(base64_decode($ciphertext, true));
         $this->assertEquals($plaintext, $decrypted);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -337,7 +337,12 @@ public function pem2der(string $pem): string`
`337`	`337`	`}`
`338`	`338`	`unset($lines[$last]);`
`339`	`339`
`340`		`- return base64_decode(implode($lines));`
	`340`	`+ $transform = base64_decode(implode($lines), true);`
	`341`	`+ if (empty($transform)) {`
	`342`	`+ throw new InvalidArgumentException("pem2der: input is empty or not a valid base64 encoded string.");`
	`343`	`+ }`
	`344`	`+`
	`345`	`+ return $transform;`
`341`	`346`	`}`
`342`	`347`
`343`	`348`
Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ public function testAesDecrypt(): void`
`120`	`120`	`uR2Yu0r4itInKx91D/l9y/08L5CIQyev9nAr27fh3Sshous4vbXRRcMcjqHDOrquD+2vqLyw7ygnbA9jA9TpB4hLZocvAWcTN8tyO82hiSY=`
`121`	`121`	`CIPHER;`
`122`	`122`
`123`		`- $decrypted = $this->cryptoUtils->aesDecrypt(base64_decode($ciphertext));`
	`123`	`+ $decrypted = $this->cryptoUtils->aesDecrypt(base64_decode($ciphertext, true));`
`124`	`124`	`$this->assertEquals($plaintext, $decrypted);`
`125`	`125`	`}`
`126`	`126`