You have a URL injection bug. You took a arbitrary text (a base64 string) and used it as a url parameter value without first converting it into a url parameter value. This is the same class of problem which are exploited by SQL injection attacks.

• If you insert text into SQL, you need to turn it into a SQL literal first.
• If you insert text into HTML, you need to turn it into HTML text first.
• If you insert text into a shell command, you need to turn it into a shell literal first.
• And if you insert text into a URL, you need to turn it into an URL component first.

Whenever one interpolates a string into another or concatenate a string with another, one needs to consider whether any conversion is required. Concatenating strings could very well be the biggest security risk of the times. People forget they're not just concatenating strings; they're concatenating the content of those strings.