[Proximity auth] Disallow '+' and '/' in incoming base64-encoded strings.

components/proximity_auth/cryptauth/base64url_unittest.cc

Index: components/proximity_auth/cryptauth/base64url_unittest.cc
diff --git a/components/proximity_auth/cryptauth/base64url_unittest.cc b/components/proximity_auth/cryptauth/base64url_unittest.cc
index 88fd16c6283f436817dbb0bd14ef9289c115bc9a..b24425a0f23287a0126db929afa6700d0e3b76d3 100644
--- a/components/proximity_auth/cryptauth/base64url_unittest.cc
+++ b/components/proximity_auth/cryptauth/base64url_unittest.cc
@@ -64,4 +64,16 @@ TEST(ProximityAuthBase64UrlTest, DecodeSpecialCharacters) {
   EXPECT_EQ("/+Y=", non_web_safe_encoded);
 }
 
+TEST(ProximityAuthBase64UrlTest, DecodeBailsOnPlus) {
+  const std::string encoded = "_+Y=";
+  std::string decoded;
+  EXPECT_FALSE(Base64UrlDecode(encoded, &decoded));
+}
+
+TEST(ProximityAuthBase64UrlTest, DecodeBailsOnSlash) {
+  const std::string encoded = "/-Y=";

[Ryan Sleevi, 2015/06/09 22:39:48]

Just to confirm: Are these valid b64strings otherwise? That is, is "/+Y=" valid?

It may help to add a comment to these tests to indicate what the encoded value
is, just so it's clear to not just stuff "any" value in here but it needs to be
one that would be easily confused if doing a 'dumb' search/replace

[Ilya Sherman, 2015/06/09 23:08:40]

Done.  "/+Y=" is the string that's tested above; but I've now added explicit
comments to make this even clearer.

+  std::string decoded;
+  EXPECT_FALSE(Base64UrlDecode(encoded, &decoded));
+}
+
 }  // namespace proximity_auth