Base64URL valid characters are not properly validated

[pacu]

reported Electric-Coin-Company/zashi-ios#1420 here

[daira]

I have little time to work on this, but I see the problem. It's here:

zcash-swift-payment-uri/Sources/ZcashPaymentURI/Model.swift

Lines 110 to 111 in 75ca8f3

	var base64 = base64URL.replacingOccurrences(of: "_", with: "/")
	.replacingOccurrences(of: "-", with: "+")

This converts the base64url string into a base64 string just by substituting / in place of _ and + in place of -. This doesn't detect cases where the string already contained / or +, or contains = (which ZIP 321 also prohibits).

Before doing this substitution, it should be explicitly checking that the string contains only the allowed base64url characters. That is, the input should be checked to match the regex [-_A-Za-z0-9]* . (I don't know whether that's the simplest way to implement it using the Swift APIs.)

Note that we can't assume that Data(base64Encoded:) doesn't have undocumented Postel's Rule acceptance of other strings that are not strictly valid base64. So, we have to restrict our use of it to strings that we know are valid base64, because they were transformed from valid base64url. As it happens, the character set restriction is the only check needed, because a string of any number of base64url-allowed characters is a valid base64url.