[HIVE-23704] Thrift HTTP Server Does Not Handle Auth Handle Correctly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.7, 3.1.2
Fix Version/s: 4.0.0-alpha-1
Component/s: Security
Labels:
- pull-request-available

Description

ThriftHttpServlet.java

  private String[] getAuthHeaderTokens(HttpServletRequest request,
      String authType) throws HttpAuthenticationException {
    String authHeaderBase64 = getAuthHeader(request, authType);
    String authHeaderString = StringUtils.newStringUtf8(
        Base64.decodeBase64(authHeaderBase64.getBytes()));
    String[] creds = authHeaderString.split(":");
    return creds;
  }

So here, it takes the authHeaderBase64 (which is a base-64 string), and converts it into bytes, and then it tries to decode those bytes. That is incorrect It should covert base-64 string directly into bytes.

I tried to do this as part of ~~HIVE-22676~~ and the tests was failing because the string that is being decoded is not actually Base-64 (see attached image) It has a stray space and a colon. Again, the existing code doesn't care because it's not parsing Base-64 text, it is parsing the bytes generated by converting base-64 text to bytes.

I'm not sure what affect this has, what security issues this may present, but it's definitely not correct.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Base64NegotiationError.png
16/Jun/20 16:12
94 kB
David Mollitor

Issue Links

blocks

HIVE-22676 Replace Base64 in hive-service Package

Closed

links to

GitHub Pull Request #1127

Activity

People

Assignee:: David Mollitor

Reporter:: David Mollitor

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jun/20 16:12

Updated:: 17/Nov/22 08:48

Resolved:: 21/Jun/20 16:30

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h