[jira] [Commented] (HIVE-23704) Thrift HTTP Server Does Not Handle Auth Handle Correctly

Wed, 17 Jun 2020 07:30:22 -0700 


    [ 
https://issues.apache.org/jira/browse/HIVE-23704?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17138490#comment-17138490
 ] 

David Mollitor commented on HIVE-23704:
---------------------------------------

Existing code works because Commons Digest Base64 implementation ignores 
invalid characters:.

https://github.com/apache/commons-codec/blob/41c6f486fd4f5c2450c9311c40dbbf7e576d2907/src/main/java/org/apache/commons/codec/binary/Base64.java#L640

> Thrift HTTP Server Does Not Handle Auth Handle Correctly
> --------------------------------------------------------
>
>                 Key: HIVE-23704
>                 URL: https://issues.apache.org/jira/browse/HIVE-23704
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.1.2, 2.3.7
>            Reporter: David Mollitor
>            Assignee: David Mollitor
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>         Attachments: Base64NegotiationError.png
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> {code:java|title=ThriftHttpServlet.java}
>   private String[] getAuthHeaderTokens(HttpServletRequest request,
>       String authType) throws HttpAuthenticationException {
>     String authHeaderBase64 = getAuthHeader(request, authType);
>     String authHeaderString = StringUtils.newStringUtf8(
>         Base64.decodeBase64(authHeaderBase64.getBytes()));
>     String[] creds = authHeaderString.split(":");
>     return creds;
>   }
> {code}
> So here, it takes the authHeaderBase64 (which is a base-64 string), and 
> converts it into bytes, and then it tries to decode those bytes.  That is 
> incorrect   It should covert base-64 string directly into bytes.
> I tried to do this as part of [HIVE-22676] and the tests was failing because 
> the string that is being decoded is not actually Base-64 (see attached image) 
>  It has a stray space and a colon.  Again, the existing code doesn't care 
> because it's not parsing Base-64 text, it is parsing the bytes generated by 
> converting base-64 text to bytes.
> I'm not sure what affect this has, what security issues this may present, but 
> it's definitely not correct.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to