Spring Security Line breaks in Base64 encoded LogoutResponse cause an IllegalArgumentException

Describe the bug If the SAMLResponse parameter for Single Logout contains line breaks, Base64 decoding fails with an IllegalArgumentException:

java.lang.IllegalArgumentException: Illegal base64 character d
  at java.base/java.util.Base64$Decoder.decode0(Base64.java:847)
  at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
  at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
  at org.springframework.security.saml2.provider.service.authentication.logout.Saml2Utils.samlDecode(Saml2Utils.java:47)
  at org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator.validate(OpenSamlLogoutResponseValidator.java:77)
  at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter.doFilterInternal(Saml2LogoutResponseFilter.java:141)

Because the same Saml2Utils class is used to decode the LogoutRequest, the issue should also occur there.

During authentication, the SAMLResponse is Base64-decoded using org.apache.commons.codec.binary.Base64, and line breaks are not an issue there.

To Reproduce Capture the POST to /logout/saml2/slo, add some %0D and/or %0A to the SAMLResponse parameter, and submit the POST request. Alternatively, have an asserting party that produces a SAMLResponse containing line breaks.

Expected behavior Single Logout should accept newlines in the SAMLResponse request parameter.

According to https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, line 793: "The base64-encoded value MAY be line-wrapped at a reasonable length in accordance with common practice."

The document is not clear about the specific Base64 format to be used in this context, but it refers to RFC2045 in some other contexts. RFC2045 is implemented by java.util.Base64.getMimeEncoder().

Comment From: jzheaux

Thanks, @chschu, for reporting this. I agree that the spec in various places indicates RFC2045 must be used and in one place it loosely says that lines can be wrapped at "a reasonable length". These two are somewhat in conflict since RFC2045 line-wraps at a specific length.

I agree that one practical way to address this is to change Saml2Utils to use the MIME encoder. Would that address the issues you are experiencing?

Comment From: chschu

Yes, the MIME decoder would be able to decode a SAMLResponse with line breaks, because it ignores anything that is not in the "base64 alphabet" (RFC2045, top of page 26).