<html><head></head><body><div><div><div style="display: none; border: 0px; width: 0px; height: 0px; overflow: hidden; visibility: hidden;"><img src="https://r.superhuman.com/QoQbASZxS2FxHpjncKBE2Yx2p--ErouFcgulkgKskl4x8evTtjT9L0ozsEjkG9G4SgiQAIJAOAoQiF7Qx9zDQB2QZmd0SrWMJt4I0XzqrH_ewhSEuARKKCujDP52fiYCy0fTvm5SKud6tuU-bZAPDavrtYLphKKsxEm3supyh5qJZiPbZ-jEJvGIRM0.gif" alt=" " width="1" height="0" style="display: none; border: 0px; width: 0px; height: 0px; overflow: hidden; visibility: hidden;"/><!-- --></div><div><p class="p1" style="margin:0px;">Hi everyone!<br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;">I’m pleased to announce base64-bytestring-1.2.0.0. In this release, we cleared out the backlog of outstanding feature requests, correctness, and security fixes to present a new stable release. This constituted a major version bump due to the fact that the fixes changed the semantics of the decode function for some inputs, making the decoding process more correct than it was previously.<span class="Apple-converted-space"> </span><br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;"></p><div>To illustrate one of the changes to correctness, here’s a quick quiz:<br/></div><div> <br/></div><div> ```<br/></div><div> <i>What are the correct results of Base64-decoding the strings "ZK==“, </i>"Zm9vYE==“, or "Zm9vYmD="<i>?</i><br/></div><p></p><p class="p1" style="margin:0px;">```<br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;">The answer is: the decoding should fail. Why? Even though the above strings may look like externally valid Base64 strings, they are technically impossible to construct such string via Base64-encoding from any binary data in the first place.<span class="Apple-converted-space"> </span><br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;"></p><div>Previously (and historically in every version up until this release), they would pass decoding, but fail to roundtrip: <br/></div><div> <br/></div><div> ```<br/></div><div> П> decode "ZK=="<br/></div><p></p><p class="p1" style="margin:0px;">Right "d"<br/></p><p class="p1" style="margin:0px;">П> encode "d"<br/></p><p class="p1" style="margin:0px;">"ZA=="<br/></p><p class="p1" style="margin:0px;">П> decode "Zm9vYE=="<br/></p><p class="p1" style="margin:0px;">Right "foo`"<br/></p><p class="p1" style="margin:0px;">П> encode "foo`"<br/></p><p class="p1" style="margin:0px;">"Zm9vYA=="<br/></p><p class="p1" style="margin:0px;">П> decode "Zm9vYmD="<br/></p><p class="p1" style="margin:0px;">Right "foob`"<br/></p><p class="p1" style="margin:0px;">П> encode "foob`"<br/></p><p class="p1" style="margin:0px;"></p><div>"Zm9vYmA="<br/></div><div> ```<br/></div><p></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;">This was the result of leaking bits when decoding the final quanta of the bytestring. I caught this, and provided a fix. Now here’s an interesting point: there are very few libraries out there that actually address this problem! In fact, there was only one other library out there that I was able to find that was fully correct-per-RFC-spec, which was the Java Amazon SDK. So I guess we can be proud of Haskell in that sense now? I’ve implemented the same in my `base64` library on hackage using the same bitmasking verification techniques, so that one is up to date as well.<span class="Apple-converted-space"> </span><br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p2" style="margin:0px;"><br/></p><p class="p1" style="margin:0px;">Anyway, cheers and happy hacking,<br/></p><p class="p1" style="margin:0px;">Emily<span class="Apple-converted-space"> </span><br/></p><div><br/></div></div><br/><div class="gmail_signature"></div></div></div></body></html>