Convert.FromBase64String decodes a non-multiple-of-4 Base64 string without throwing, and returns the same bytes as a canonical string (.NET Framework 4.5)

Question

Convert.FromBase64String decodes a non-multiple-of-4 Base64 string without throwing, and returns the same bytes as a canonical string (.NET Framework 4.5)

이용각 이용각 20

Environment: - .NET Framework 4.5 - C#

Problem: According to Base64 rules, after removing whitespace the input length must be a multiple of 4. However, in .NET Framework 4.5, Convert.FromBase64String sometimes decodes a string whose length is NOT a multiple of 4 (Length%4==1), with no whitespace and no non-Base64 characters. Repro: string a = "N3Riw/NjvYJE+mN4pTUewCtHt5xV9fIhs9FqnZt6a98uF0KzSQ=="; // length 52 string b = "N3Riw/NjvYJE+mN4pTUewCtHt5xV9fIhs9FqnZt6a98uF0KzaSQ=="; // length 53 (extra 'a') byte[] da = Convert.FromBase64String(a); byte[] db = Convert.FromBase64String(b); Debug.WriteLine("Same length? " + (da.Length == db.Length)); Debug.WriteLine("Same bytes? " + da.SequenceEqual(db)); Debug.WriteLine("a canonical? " + (Convert.ToBase64String(da) == a)); Debug.WriteLine("b canonical? " + (Convert.ToBase64String(db) == b)); Observed output: Same length? True Same bytes? True a canonical? True b canonical? False Additional diagnostics:

==== A ==== Length: 52, Length%4: 0 char.IsWhiteSpace count: 0 Non-Base64 chars count (including whitespace): 0

==== B ==== Length: 53, Length%4: 1 char.IsWhiteSpace count: 0 Non-Base64 chars count (including whitespace): 0

Questions: 1) Is this behavior documented/guaranteed? If not, is it a known bug/implementation detail? 2) What is the recommended strict Base64 validation approach in .NET Framework 4.5 to reject inputs like B before decoding?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Jack Dang (WICLOUD CORPORATION) 14,575 Microsoft External Staff Moderator

Hi @이용각 이용각 ,

Thanks for reaching out.

This tolerant behavior is not documented as something you should rely on, and it may differ across runtime versions. So it’s best to treat it as an internal behavior rather than a guaranteed feature.

If you need strict Base64 validation in .NET Framework 4.5, a reliable approach would be:

Ensure the input length (after removing whitespace) is a multiple of 4.
Decode using Convert.FromBase64String.
Re-encode the result using Convert.ToBase64String.
Compare the re-encoded value with the original input (after normalization).

If they don’t match exactly, you can safely reject the input as non-canonical or malformed.

Hope this helps! If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.

이용각 이용각 20 Reputation points

2026-02-13T05:32:56.6866667+00:00

Is there any plan to backport the strict behavior (throw on length % 4 != 0) to .NET Framework, or is it intentionally left as-is for legacy compatibility?
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Jack Dang (WICLOUD CORPORATION) 14,575 Reputation points Microsoft External Staff Moderator

2026-02-13T07:25:55.9333333+00:00

Hi @이용각 이용각 ,

Thanks for following up.

There’s no official plan from Microsoft to backport stricter Base64 validation to .NET Framework. The current behavior is intentional for legacy compatibility. Changing it now could break existing applications that rely on this “forgiving” behavior, so it’s left as-is.

If strict validation is required, the recommended approach is still to implement your own checks before decoding.

Share via

Convert.FromBase64String decodes a non-multiple-of-4 Base64 string without throwing, and returns the same bytes as a canonical string (.NET Framework 4.5)

0 additional answers

Your answer