GNOME Bugzilla – Bug 631771
Verify base64 data has '=' end-markers
Last modified: 2013-11-21 14:55:16 UTC
Mango currently verifies SSH keys by base64 decoding the data and checking if that succeeds. Seems that PHP allows the '=' end-markers to be left out. This resulted in the key for jralls to be seen as valid and even with the right fingerprint, while SSH would refuse to decode the base64 data. Solution would be to be strict with the allowed base64 data. Not sure if PHP allows this. Perhaps only to be implemented for the Django version.
[ Probably clear, but worth pointing out that the = character represents padding, and depending on the length of the encoded data base64 strings can end with 0, 1, or 2 = signs ]
Created attachment 172332 [details] [review] Ensure base64-encoded SSH keys have correct padding
Perhaps it would be better to just base64_encode the decoded string and see if it's the same as the input.
The GNOME Infrastructure Team is currently migrating its bug / issue tracker away from Bugzilla to Request Tracker and therefore all the currently open bugs have been closed and marked as OBSOLETE. The following move will also act as a cleanup for very old and ancient tickets that were still living on Bugzilla. If your issue still hasn't been fixed as of today please report it again on the relevant RT queue. More details about the available queues you can report the bug against can be found at https://wiki.gnome.org/Sysadmin/RequestTracker. Thanks for your patience, the GNOME Infrastructure Team