This repository has been archived by the owner on Jul 13, 2023. It is now read-only.
Reject padded Base64 in crypto headers #451
Comments
ghost
added
the
jrconlin
added a commit
that referenced
this issue
Apr 21, 2016
The client will soon reject any key content that includes padding. The server will need to watch and strip it. We should also return a warning message, however the likelihood of that warning being noticed is minimal. Closes #451
jrconlin
added a commit
that referenced
this issue
Apr 22, 2016
The client will soon reject any key content that includes padding. The server will need to watch and strip it. We should also return a warning message, however the likelihood of that warning being noticed is minimal. Closes #451
jrconlin
added a commit
that referenced
this issue
Apr 28, 2016
The client will soon reject any key content that includes padding. The server will need to watch and strip it. We should also return a warning message, however the likelihood of that warning being noticed is minimal. Closes #451
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
@martinthomson suggested rejecting padded params in https://bugzilla.mozilla.org/show_bug.cgi?id=1256488#c8, and draft-ietf-httpbis-encryption-encoding cites RFC 7515, too.
Unfortunately, the test page used the padded form for a while, and I suspect others might, too. These senders will break once bug 1256488 lands.
I think we should detect these on the server and return a more helpful error, instead of having the client fail decryption.
+@jrconlin
The text was updated successfully, but these errors were encountered: