Need BadBase32Exception and errors if data cannot be decoded properly

[afk11]

... or \Base32\DecodeException

I found this test suite, the negative cases down the bottom are engineered to detect implementation errors we should add

Base32 hex: https://opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/modules/base32/base32hex.testsuite.auto.html Base32: https://opensource.apple.com/source/tcl/tcl-87/tcl_ext/tcllib/tcllib/modules/base32/base32.testsuite.auto.html

On the first, preg_replace should be removed and preg_match & fail used instead. An RFC respecting implementation probably shouldn't accept all that many possibilities, or if so, it could be put behind an options bitmask/whatever and not the default

If non-alphabet characters are ignored, instead of causing rejection of the entire encoding (as recommended), a covert channel that can be used to "leak" information is made possible.

https://tools.ietf.org/html/rfc4648#section-12

The rest might take a bit more work :)

Edit: found something else interesting

Similarly, when the base 16 and base 32 alphabets are handled case insensitively, alteration of case can be used to leak information or make string equality comparisons fail.

https://github.com/ChristianRiesen/base32/blob/master/src/Base32.php hmm, here we do strtoupper on input. Instead of doing this, we should require the upper case characters be used. The RFC quote here suggests you could make a covert channel to leak information by encoding it by varying the characters which are upper/lower case. I'm fairly sure that's what they mean about ignoring non-alphabet characters too btw

I think we could make this safer - If we see someone mixing case or using lower-case we should fail to decode and mention DECODE_UPPERCASE and DECODE_LOWERCASE in the error. If we tell them which option to use for the case they want we might avoid them using strtoupper/etc and introducing the issue into their own code