Commit ef46dbe
committed
fix: reject + and / in the no-native-fromBase64 decode fallback
When `Uint8Array.fromBase64` is unavailable, base64url `decode()` falls
back to translating `-_` to `+/` and decoding via `atob`, which accepts
the standard-Base64 characters `+` and `/`. The native path
(`Uint8Array.fromBase64(input, { alphabet: 'base64url' })`) rejects them,
so the same input is accepted on runtimes without the native method and
rejected on runtimes with it.
Reject `+` and `/` in the fallback before the `-_` -> `+/` translation,
matching the native path. Only those two characters change behaviour;
padding and whitespace handled by `atob` are untouched.1 parent b299ce2 commit ef46dbe
2 files changed
Lines changed: 34 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
24 | 29 | | |
25 | 30 | | |
26 | 31 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
0 commit comments