Line breaks in Base64 encoded LogoutResponse cause an IllegalArgumentException #10923
Description
Describe the bug
If the SAMLResponse parameter for Single Logout contains line breaks, Base64 decoding fails with an IllegalArgumentException:
java.lang.IllegalArgumentException: Illegal base64 character d
at java.base/java.util.Base64$Decoder.decode0(Base64.java:847)
at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
at org.springframework.security.saml2.provider.service.authentication.logout.Saml2Utils.samlDecode(Saml2Utils.java:47)
at org.springframework.security.saml2.provider.service.authentication.logout.OpenSamlLogoutResponseValidator.validate(OpenSamlLogoutResponseValidator.java:77)
at org.springframework.security.saml2.provider.service.web.authentication.logout.Saml2LogoutResponseFilter.doFilterInternal(Saml2LogoutResponseFilter.java:141)
Because the same Saml2Utils class is used to decode the LogoutRequest, the issue should also occur there.
During authentication, the SAMLResponse is Base64-decoded using org.apache.commons.codec.binary.Base64, and line breaks are not an issue there.
To Reproduce
Capture the POST to /logout/saml2/slo, add some %0D and/or %0A to the SAMLResponse parameter, and submit the POST request. Alternatively, have an asserting party that produces a SAMLResponse containing line breaks.
Expected behavior
Single Logout should accept newlines in the SAMLResponse request parameter.
According to https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf, line 793: "The base64-encoded value MAY be line-wrapped at a reasonable length in accordance with common practice."
The document is not clear about the specific Base64 format to be used in this context, but it refers to RFC2045 in some other contexts. RFC2045 is implemented by java.util.Base64.getMimeEncoder().