Fix false UTF-7 detection of SHA-1 git hashes#324
Merged
dan-blanchard merged 1 commit intochardet:mainfrom Mar 4, 2026
Merged
Conversation
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
Member
dan-blanchard
left a comment
There was a problem hiding this comment.
Thanks for the fix! If you could provide a more realistic example for that one test that is trying to trigger it via a VCS file (which I think is where you said the issue originally occurred), I'd appreciate. Otherwise this looks pretty good.
b11a886 to
5e7cea8
Compare
_is_valid_utf7_b64 skipped all content checks when base64 length was a multiple of 8 (padding_bits == 0). A 40-char hex SHA-1 hash meets that condition exactly, causing pure-ASCII requirements files with VCS pins to be misdetected as UTF-7 (fixes chardet#323). Fix: decode the base64 and reject lone surrogates — the reported hash decodes to 0xDDC6, an unpaired low surrogate, which is invalid UTF-16BE and can never appear in real UTF-7.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
_is_valid_utf7_b64 skipped all content checks when base64 length was a multiple of 8 (padding_bits == 0). A 40-char hex SHA-1 hash meets that condition exactly, causing pure-ASCII requirements files with VCS pins to be misdetected as UTF-7 (fixes #323).
Fix: decode the base64 and reject lone surrogates — the reported hash decodes to 0xDDC6, an unpaired low surrogate, which is invalid UTF-16BE and can never appear in real UTF-7.