Is it safe to pass raw base64 encoded strings via GET parameters?
+2
A:
I don't think that this is safe because e.g. the "=" character is used in raw base 64 and is also used in differentiating the parameters from the values in an HTTP GET.
Mischa
2009-09-03 17:18:25
+6
A:
No, you would need to url-encode it, since base64 strings can contain the "+", "=" and "/" characters which could alter the meaning of your data - look like a sub-folder.
Valid base64 characters are below.
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
Thiyagaraj
2009-09-03 17:19:01
URLencoding is a waste of space, especially as base64 itself leaves many characters unused.
Michał Górny
2009-09-03 18:34:09
I am not sure I understand what you are saying - URL encoding wont alter any of the characters except the last three characters in the list above, and that is to prevent them from being interpreted incorrectly since they have other meanings in URLS. The same goes for base64, the original data could be binary or anything, but it is encoded in a form that can be transmitted easily using simple protocols.
Thiyagaraj
2009-09-03 19:42:23
Firstly, you should escape '+' too as it may be converted into space. Secondly, there are at least few characters which are safe for use in URLs and aren't used in ‘standard’ charset. Your method can even increase the size of transferred data _three times_ in certain situations; while replacing those characters with some other will do the trick while preserving same length. And it's quite standard solution too.
Michał Górny
2009-09-03 20:58:45
While your argument is valid, Read this - en.wikipedia.org/wiki/Base64 Maybe you would understand the reasons for choosing it a little more clearly.
Thiyagaraj
2009-09-03 21:22:03
http://en.wikipedia.org/wiki/Base64#URL_applications — it says clearly that escaping ‘makes the string unnecessarily longer’ and mentions the alternate charset variant.
Michał Górny
2009-09-03 23:02:22
+3
A:
Yes and no.
The basic charset of base64 may in some cases collide with traditional conventions used in URLs. But many of base64 implementations allow you to change the charset to match URLs better or even come with one (like Python's urlsafe_b64encode()).
Another issue you may be facing is the limit of URL length or rather — lack of such limit. Because standards do not specify any maximum length, browsers, servers, libraries and other software working with HTTP protocol may define its' own limits. You may take a look at this article: WWW FAQs: What is the maximum length of a URL?
Michał Górny
2009-09-03 17:20:40
A:
In theory, yes, as long as you don't exceed the maximum url and/oor query string length for the client or server.
In practice, things can get a bit trickier. For example, it can trigger an HttpRequestValidationException on ASP.NET if the value happens to contain an "on" and you leave in the trailing "==".
Nicole Calinoiu
2009-09-03 17:22:52
you make no mention of +, /, or = characters which make urls invalid in certain cases.
Will Bickford
2009-09-03 17:39:40