System.Convert.FromBase64String（）接受一些无效字符串作为输入。这是.Net中的错误吗？

Question

.Net的Convert.FromBase64String（）实现可以输入无效输入，并在不抛出FormatException的情况下生成输出。大多数无效输入被正确捕获但这种类型不是。在这种情况下，FromBase64String将忽略输入字符串的最后4位。这可能导致多个输入解码到同一个字节数组。

此代码中演示了此问题：

var validBase64 = Convert.FromBase64String("TQ==");//assigned length 1 byte array with single byte 0x4d
var invalidBase64 = Convert.FromBase64String("TR==");//also assigned the same
var validConvertedBack = Convert.ToBase64String(validBase64);//assigned TQ==
var invalidConvertedBack = Convert.ToBase64String(validBase64);//assigned TQ==

出现这种情况的原因如下图所示：

＆＃39; Q＆＃39;的前2个字节使用（0,1）但忽略了接下来的4个。因此，以0,1开头的任何字符都将解码为相同的字节数组，例如R（0,1,0,0,0,1）。

Base64编码rfc没有定义解码，只有编码，所以.Net不违反该规范。然而，该规范确实警告类似的问题是危险的：

> The padding step in base 64 and base 32 encoding can, if improperly implemented, lead to non-significant alterations of the encoded data. For example, if the input is only one octet for a base 64 encoding, then all six bits of the first symbol are used, but only the first two bits of the next symbol are used. These pad bits MUST be set to zero by conforming encoders, which is described in the descriptions on padding below. If this property do not hold, there is no canonical representation of base-encoded data, and multiple base- encoded strings can be decoded to the same binary data. If this property (and others discussed in this document) holds, a canonical encoding is guaranteed.

Microsoft是否了解此功能？如果没有，这可能是一个安全问题吗？