Skip to content

Reject malformed base64 payload in RFC 2047 decodeWord#478

Merged
garydgregory merged 1 commit into
apache:masterfrom
alhudz:rfc2047-base64-invalid
Jul 15, 2026
Merged

Reject malformed base64 payload in RFC 2047 decodeWord#478
garydgregory merged 1 commit into
apache:masterfrom
alhudz:rfc2047-base64-invalid

Conversation

@alhudz

@alhudz alhudz commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

MimeUtils.decodeWord decodes an RFC 2047 encoded-word reached from a Content-Disposition / Content-Type parameter (filename, name, boundary) via ParameterParser. The base64 branch calls Base64.getMimeDecoder().decode(...), which throws IllegalArgumentException on a malformed final unit. That is not caught by the surrounding catch (IOException), so it escapes the method's declared throws ParseException, UnsupportedEncodingException. The quoted-printable branch throws IOException on the same kind of malformed input and is remapped cleanly, so the two encodings reject bad input inconsistently.

Repro: MimeUtils.decodeText("=?UTF-8?B?A?=") (payload is a single base64 char).
Expected: UnsupportedEncodingException, as for a malformed Q payload.
Actual: IllegalArgumentException ("Last unit does not have enough valid bits").

Widen the existing catch to IOException | IllegalArgumentException so a malformed base64 payload is rejected like a malformed quoted-printable one. Keeping the mapping in decodeWord keeps both encodings within the same declared contract instead of leaking a base64-specific runtime exception. Covered by a new case in MimeUtilityTestCase.

@garydgregory garydgregory changed the title reject malformed base64 payload in RFC 2047 decodeWord Reject malformed base64 payload in RFC 2047 decodeWord Jul 15, 2026
@garydgregory garydgregory merged commit d492799 into apache:master Jul 15, 2026
9 checks passed
@garydgregory

garydgregory commented Jul 15, 2026

Copy link
Copy Markdown
Member

Thank you @alhudz, merged 🚀 Please port to 1.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants