Actions
Bug #13970
closedBase64 urlsafe_decode64 unsafe use of tr.
Description
A lot of the base64 module lacks duck typing or nice errors.
For example the urlsafe_decode64
function never checks str
is something that behaves like a string and will respond to tr
.
If you pass nil
by mistake you end up with the dreaded "can't call method on (n)" rather than an informative error.
def urlsafe_decode64(str)
# NOTE: RFC 4648 does say nothing about unpadded input, but says that
# "the excess pad characters MAY also be ignored", so it is inferred that
# unpadded input is also acceptable.
str = str.tr("-_", "+/")
if !str.end_with?("=") && str.length % 4 != 0
str = str.ljust((str.length + 3) & ~3, "=")
end
strict_decode64(str)
end
Raising an error or silently failing if the argument doesn't respond to tr
(or to_s.tr
) both seem preferable to errors raised by the internal implementation but I'm wondering if there is a preferred approach in Rubys stdlib?
Actions
Like0
Like0