Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Web Wallets
Re: Blocktrail.com | Wallet | Explorer | API
by
shorena
on 10/02/2016, 16:49:15 UTC
Quote from: rubensayshi on February 10, 2016, 12:42:51 PM
-snip-
hey, thanks for getting in touch! this could have been a pretty serious bug, but luckily it's not ;-)

the signature is 'base64' encoded which officially should have a trailing '=' if the last 'group' of bytes is only 2 bytes and act as a 'padding' to explicitly declare that you intended the last 'group' to miss 1 byte (base64 is chunked in 3 bytes per 'group') and a trailing '==' when the last 'group' is only 1 byte.
the javascript implementation of base64 actually silently asumes that if you don't have a trailing '=' but the last 'group' is only 2 bytes that it's supposed to be 2 bytes and doesn't error over it.

so when decoded (in javascript) from base64 into binary (or hex) "HyEuQEIIi5KS0dqyCaIWh6a5A3wIMFqkSEehuNa7jOUZTSyLa08czuASi5RUcj78hPI5PMNec0w6Xhz flMbFNcM" and "HyEuQEIIi5KS0dqyCaIWh6a5A3wIMFqkSEehuNa7jOUZTSyLa08czuASi5RUcj78hPI5PMNec0w6Xhz flMbFNcM=" both result in the same data.

Thanks for the explanation. Sounds logical in the light of the encoding. Would it be possible to show a message to the user? Something like "Your signature is valid, but misses a trailing '='." or "...'=='." respectivly.