From fbcfa6a532d4e7c555693b549a97adfa3d38aca4 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Sat, 3 Aug 2019 18:38:32 -0400
Subject: [PATCH] encoding/base64: document that Strict mode still ignores
 newlines

An application that wants to reject non-canonical encodings is likely to
care about other sources of malleability.

Change-Id: I1d3a5b281d2631ca78df3f89b957a02687a534d8
Reviewed-on: https://go-review.googlesource.com/c/go/+/188858
Reviewed-by: Katie Hockman <katie@golang.org>
---
 src/encoding/base64/base64.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/encoding/base64/base64.go b/src/encoding/base64/base64.go
index 082210198f3..690d3ce0421 100644
--- a/src/encoding/base64/base64.go
+++ b/src/encoding/base64/base64.go
@@ -86,6 +86,9 @@ func (enc Encoding) WithPadding(padding rune) *Encoding {
 // Strict creates a new encoding identical to enc except with
 // strict decoding enabled. In this mode, the decoder requires that
 // trailing padding bits are zero, as described in RFC 4648 section 3.5.
+//
+// Note that the input is still malleable, as new line characters
+// (CR and LF) are still ignored.
 func (enc Encoding) Strict() *Encoding {
 	enc.strict = true
 	return &enc