Grundik
commented
9 months ago Probably that second check could have been just removed, it does not give anything substantial. Thats why this bug was not noticed.
Closed Grundik closed 5 months ago
Grundik
commented
9 months ago Probably that second check could have been just removed, it does not give anything substantial. Thats why this bug was not noticed.
In
Base64->decodeNoPadding()two conditional checks of$srcLen & 3. But it can't be zero and greater than 1 at the same time, probably that was a typo. As far as I can understand, this is just a check for padding characters in last two places, so second condition was meant as$strLen > 1. But its always true: in previous code it was checked to be not zero, and then checked for$srcLen & 3(basically "is it divisible by 4?"), so it cant be less than 4 in this branch.So, I've done light refactoring of this place. Since its an input validation, it should not leak any significant information in context of timing attacks.