[Proximity auth] Disallow '+' and '/' in incoming base64-encoded strings.

components/proximity_auth/cryptauth/base64url.cc

Index: components/proximity_auth/cryptauth/base64url.cc
diff --git a/components/proximity_auth/cryptauth/base64url.cc b/components/proximity_auth/cryptauth/base64url.cc
index a38043fa0a3f53cf9f82d9cd930e8c42119c678f..d32f188b5741474eff783fe933719438fd944a16 100644
--- a/components/proximity_auth/cryptauth/base64url.cc
+++ b/components/proximity_auth/cryptauth/base64url.cc
@@ -18,6 +18,12 @@ void Base64UrlEncode(const std::string& decoded_input,
 
 bool Base64UrlDecode(const std::string& encoded_input,
                      std::string* decoded_output) {
+  // Bail on malformed strings, which already contain a '+' or a '/'. All valid
+  // strings should escape these special characters as '-' and '_',
+  // respectively.
+  if (encoded_input.find_first_of("+/") != std::string::npos)
+    return false;
+
   std::string adjusted_encoded_input = encoded_input;
   base::ReplaceChars(adjusted_encoded_input, "-", "+", &adjusted_encoded_input);
   base::ReplaceChars(adjusted_encoded_input, "_", "/", &adjusted_encoded_input);